Authenticate Conversations with SSO Teams

Note:   This functionality is available in DRUID version 1.60 or higher.

For chatbots operating in the back-office in applications that use Azure AD authentication (e.g., Office 365 applications), bot authors can set the chatbots to operate on behalf of the users by using a token generated by the user’s Azure AD client.

For example, a user asks the chatbot in the Teams channel to add appointments to their Outlook calendar.

How it works

  1. The user gives the Teams chatbot the permission to obtain an authentication token from their Azure AD client.
  2. The chatbot will use that token to operate on behalf of the users in Office 365 applications.
  3. The actions performed by the chatbot on behalf of the user will be logged as being performed by the user.

How to set authentication with SSO Teams

Prerequisites

  • You have the Teams channel active.
  • You have an Azure AD tenant and admin account credentials.
  • In Developer Portal you added to your bot settings (Configure menu > Domains) the following domains:
    • token.botframework.com
    • DRUID API domain that is specific to the DRUID Cloud you're using:
      • DRUID Community PROD Europe PROD US PROD Australia
      druidapi.comm.eu.druidplatform.com prod-DRUID-api.azurewebsites.net druidapi.us.druidplatform.com druidapi.au.druidplatform.com

Step 1. Create Teams SSO flow.

  1. Create a flow for Teams SSO authentication and add a step of type Teams SSO.

    2. This flow step will display a sign in button in the chat (Teams channel).

  2. Configure the step.

    3. You can add the user to specific additional roles.

    Type the sign in button label (the text that will be displayed on the sign in button) in bot default language and additional language(s).

  3. Mark the step as first and last step and save the step.

Step 2. Register your chatbot through the Azure AD portal

In your Azure AD tenant, register your chatbot following the procedure described in Microsoft documentation.

Step 3. Use the SSO Token

When the Teams SSO step is executed (the user clicks the sign in button in the chat via the Teams channel), DRUID stores the token generated by Azure AD in the system field [[ChatUser]].SSOToken.

You can further use the value from this field in integrations on the header of REST calls. In this case, the authentication on REST calls is no longer required.