In this month's call, Loki Meyburg, Program Manager for Microsoft Teams discusses single sign-on (SS0) in Microsoft Teams, including:
-What is single sign-on (SSO)
-Authentication in 2019
-Single sign-on for Teams tabs today!
-Getting starting with SSO
Watch the recording here - https://youtu.be/91Sb5lz3STI
4. • Azure AD Single Sign-On support for Teams “tabs”
• Sign-in your users with the same account they’re using in Teams
• Users never have to sign-in again
• Improved developer experience for building authentication
6. • We already support cookie-based authentication
• We support “faux-SSO” with silent authentication (still cookie-based)
• If an auth cookie has expired, we allow you to briefly surface an authentication
pop-up to fetch a new valid cookie
• Sample code available in our documentation
• Doesn't work cross-device 😢
• Authentication is one of our biggest developer complaints
Authentication in 2019
8. Skip signing-in to apps in TeamsEnd user
Simpler development when it comes to
authenticationDeveloper
Protect user privacy and security through
conditional access policiesIT Admin
Common needs
9. Teams ♥ Azure AD
Teams Tabs authentication can be built
using Azure AD single-sign on
Faster load times
Easier development
Works on desktop + mobile
Conditional access policies apply
10. Consent once, and then be
automatically signed in on any
device any time you visit that
tab.
⭐
11.
12. • Register in AAD Portal
• New app type should be "Accounts in any organizational directory and personal
Microsoft accounts"
• Get your App ID
• Expose an API
• api://fully-qualified-domain-name.com/$AppID$
• Add a scope
• access_as_user
• Authorize the Teams applications
• Under "Authorized client's applications" allow the Teams app to request a token
• Client ID: 1fec8e78-bce4-4aaf-ab1b-5451cc387264
SSO – 1) AAD App Registration
13. • WebApplicationInfo- Add this property
to your manifest
• Id- The client ID of the application. This is
an application ID that you obtain as part
of registering the application with Azure
AD.
• Resource- The domain and subdomain of
your application. This is the same URI
(including theapi://protocol) that you
used when registering the app in AAD. The
domain part of this URI should match the
domain, including any subdomains, used
in the URLs in thesection of your Teams
application manifest.
SSO – 2) Teams Manifest
"webApplicationInfo": {
"id": "<application_GUID here>",
"resource": "<web_API resource here>"
}
14. • Here's what the authentication API
looks like:
var authTokenRequest = {
successCallback: function(result) { console.log("Success: " + result); },
failureCallback: function(error) { console.log("Failure: " + error); },
};
microsoftTeams.authentication.getAuthToken(authTokenRequest);
SSO – 3) Get an auth token using the SDK
29. 1. Only works with Azure Active Directory (ie: we don’t support Google auth, etc)
2. Your AAD app URI needs to match the domain name of your Teams tab (to verify you
own the domain)
3. We do not support hosting from azurewebsites.net (yet)
4. We can only provide you “authentication” permissions
1. To get “authorization” for additional permissions, you must exchange the token using Azure
Active Directory’s on-behalf-of flow.
5. Mobile is not supported (yet)
Constraints
30. More about today’s topics:
https://aka.ms/teams-sso
https://aka.ms/teams-sso-sample
https://myapplications.microsoft.com/
Let’s talk the about common needs of the various people who interact with SharePoint Framework applications (aka web parts).
The end user should be able to use their tools regardless of which collaboration software they’re using. Since every Team in Microsoft Teams is backed by an underlying SharePoint site, it becomes more and more important to the end user that their workflow tools are able to bridge seamlessly between one another. For example, when an end-user uses the “files” tab in Microsoft Teams, they’re actually interacting with the files stored in the SharePoint site without knowing the difference between one or the other. The same experience should be afforded to the end-user. The user should be able to use the same app across multiple Office products.
Speaking of LoB, or line-of-business apps, the IT admin wishes to reduce the number of places and ways to manage and deploy solutions to their end users or internal employees. One of the challenges big IT organizations face is getting approval to deploy and run new internal applications and something that the SharePoint Framework does quite well is that it runs on SharePoint for free. Making it much easier to spin up and manage an application in what is usually an already IT-approved environment, such as SharePoint. In an Enterprise environment, it can always be tricky to get approval to host a new application: you need to get approval for the server costs, you have to make sure the data is in a secure
As a developer, and especially as a developer who considers themselves a Microsoft developer, you want to code up your solution once and have it work across multiple Office products and workloads. One of the great things about SharePoint and Teams is that they’re both backed by a modern group and are accessible via the Graph so the developer concepts are very aligned. If you’re an Office 365 developer then you want to feel at home regardless of which Microsoft product you’re building an app or extension for.
[next animation] So what does this mean for SharePoint and Teams? Let’s take a look at how SharePoint Framework and Teams can work seamlessly together. [next]
On the left, you can see a fairly complex Lead Management SharePoint application exposed inside of Teams. I’ll show you a demo of this application in a second.
Tabs are automatically hosted and executed in the context of SharePoint, yet they are also made aware of the fact that they are running inside of Teams. For example, you can get the channel name or theme of the Teams tab you’re running inside of and use that information to change or customize the look and feel of your SharePoint Framework webpart.
Let’s talk about hosting because that’s an important one. Hosting a web part in SharePoint to be used in Teams does not cost you anything extra. In addition, SharePoint will host your application on their battle-tested global CDN. IT admins can rest easy knowing that any additional applications can be managed in one location through SharePoint making it easier to maintain.
Finally, you can take advantage of all SharePoint framework capabilities in your Teams tab. With the use of lists, Graph and more you can create some really powerful end-to-end solutions.