Cannot get SSO to work in bot framework

Eugene De Villiers 30

I'm adding SSO for a multi-purpose bot.

I followed the SSO example from microsoft to setup an initial POC.

In my development environment I managed to make all SSO work and get the user token like this:

`var userTokenClient = turnContext.TurnState.Get

Akshay-MSFT 17,871 Reputation points Microsoft Employee

2024-05-16T06:10:32.5233333+00:00

@Eugene De Villiers

Thank you for posting your query on Microsoft Q&A, from above description I could understand that the SSO is working in dev (local environment) and not in production environment.

Could you please confirm what platform is the application hosted on? Is it azure app services or an on prem server?

Thanks,

Akshay Kaushik
Eugene De Villiers 30 Reputation points

2024-05-16T12:48:05.08+00:00

Hi Akshay,

It's hosted on an App Service.

I think there must be something additional wrong.

I cannot seem to create any second bot (even as a copy of development) to succeed on that SSO call. They all return 404 -even on my local machine.

I can switch between the 2 configs and one works and the other just wont'.
Eugene De Villiers 30 Reputation points

2024-05-16T19:31:11.0933333+00:00

Hi Akshay,

Update on this. I kept testing and comparing and then ended up accidentally removing the MS-Teams channel from the working bot. After adding that back in the DEV bot also does not get SSO anymore but simply returns a 404.

Hope that helps to narrow down the issue.
Eugene De Villiers 30 Reputation points

2024-05-23T22:26:49.8333333+00:00

Hi Akshay,

It looks like the reason my developer bot was working up to a point is because there was a token cached for it.

I have managed to resolve my issues in the meanwhile.

Kind regards,

Eugene
Tomasz Wojtasik 1 Reputation point

2024-07-05T14:06:47.5733333+00:00

@Eugene De Villiers could you explain how did you manage to resolve the issue? It seems like I'm having the same problem. Thanks!
Eugene De Villiers 30 Reputation points

2024-07-10T16:15:29.8433333+00:00

@Tomasz Wojtasik
In our case we had worked with the SSO sample code and had all the appId's and secrets plugged into that codebase. So the SSO sample code authenticated and that got cached in teams. So we had our bot and SSO working fine for one bot and not the other. Our code implementation was not sufficient at that point to let the new bot auth properly.

We worked through the SSO sample app and brought all the pieces across to our own code-base until we had it working.

https://github.com/OfficeDev/Microsoft-Teams-Samples/tree/main/samples/app-sso

My suggestion would be to do the same.
Our implementation is in c#, but we will be moving that across to Node/Typescript in the near future. They seem to be very similar in how they work.

I think there are some nuances that we do not understand yet, and we will get back to this when we implement further. In the meanwhile we are trying to use only app authentication to get everything done. This can be done with powershell.
Leaving some links on that here:
https://learn.microsoft.com/en-us/microsoftteams/teams-powershell-install
We assign the policy like this:Connect-MicrosoftTeams``New-CsApplicationAccessPolicy -Identity <nameofpolicy> -AppIds "<yourappid>" -Description "Allow app to access specified users data"

Grant-CsApplicationAccessPolicy -PolicyName <nameofpolicy> -Identity "<user-azure-id>"

If SSO is really what you need, here is a good series of youtube videos that could help:
https://www.youtube.com/playlist?list=PLWZJrkeLOrbZ3uG8Xb8yOUeWu7UDu4Q_-
also this:
https://www.youtube.com/watch?v=kruUnaZgQaY

Hope something in here helps!
-Eugene

Accepted answer

Akshay-MSFT 17,871 Reputation points Microsoft Employee

2024-05-24T06:43:40.4+00:00

@Eugene De Villiers

I'm glad that you were able to resolve your issue and thank you for posting your solution so that others experiencing the same thing can easily reference this! Since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others ", I'll repost your solution in case you'd like to "Accept " the answer.

Issue: SSO is not working in Teams bot and responding with Received HTTP response headers after 270.8012ms - 404

Cause: Developer bot was working up to a point is because there was a token cached for it but not in production environment.

Solution:

I was able to test this in my lab but found no issues, later on I tried approaching the service engineering team but have not heard of any such emerging/known issues and was suggested to collect and inspect HTTPS traffic by using a proxying tool like Fiddler.

Based upon your research I was able to find the following info:

If there's a cached token, the bot uses the same token. If there's no token available, the Adaptive Card sends an invoke response to the bot service, which sends an OAuth card with the following values that includes a tokenExchangeResource to designate an SSO operation

The SSO fails when the Teams client ignores the tokenExchangeResource value for any reason, including invalid values, errors retrieving exchangeable tokens, or if Microsoft Entra ID doesn't support the value. Then the Teams client triggers the nominal sign-in or OAuth flow.

Suggestion: It's recommended that you provide a sign-in URL

If you have any other questions or are still running into more issues, please let me know. Thank you again for your time and patience throughout this issue.

Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

Thanks,

Akshay Kaushik
Please sign in to rate this answer.

0 comments No comments
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

Cannot get SSO to work in bot framework

0 additional answers

Your answer