CAI - MS Graph for Dynamic Credentials

We're trying to use our existing Microsoft tenant as a way to authenticate into our chatbot with dynamic credentials. I think I have everything set up correctly on the EntraID side as far as the application/users/scope etc. Its all configured per step one in https://solutions.teamdynamix.com/TDClient/1965/Portal/KB/ArticleDet?ID=140697. We're using Graph-as-a-User delegated permission scopes. If I follow the rest of the KB, the step in our intent flow that produces a microsoft login URL opens a page that doesn't load. Step 3 specifies how to create an app or shared credential, which isn't what we need. We're trying to use a dynamic credential.

If I alter the settings from step 1 to look like the first screenshot, the flow produces a working microsoft login url, which I can successfully sign in to (confirmed from EntraID logs), but then I'm directed to a page that looks like it's coming from TeamDyamix with the message "Authorization Error". That seems to correlate with this line (third screenshot) in the CAI Admin monitoring message log.

Tags CAI
Asked by Logan Tong on Mon 9/16/24 1:35 PM Last edited Tue 9/17/24 11:23 AM
Sign In to leave feedback or contribute an answer

Answer (1)

This answer has been marked as the accepted answer
Mark Sayers Fri 9/20/24 12:01 PM

Hi Logan,

The KB you referenced is for iPaaS, so the credential you are authorizing is for a specific account that can do things with the Graph API since you are setting up the "as user" method". "As user" is a specific method where a specific account needs to be authorized in the credential to connect to Graph and do something.

If you want to allow for signing or auth against TDX, your bot would need to use the "TeamDynamix Work Management Bot Host" auth method in your dynamic credential which should use your existing setup in Work Management to authenticate. 

Sincerely,
Mark Sayers
Sr Support Consultant, CS

No feedback
Hi Mark,

We already have "TeamDynamix Work Management Bot Host" auth method set up, but it restricts us as it only works when the bot is hosted on our client portal. We need to be able to host the bot on our own university website, and allow users to authenticate through our microsoft tenant. If that's just not possible, is there any SSO method the bot works with so we can host the bot on our own website, and let users authenticate with their usual credentials. - Logan Tong Mon 9/23/24 11:02 AM
TeamDynamix as an auth method is currently only supported for the client portal. You *could* use SAML SSO for a more general authentication if you desired though, by making use of the "Authenticate" flow step. - Mark Sayers Mon 9/23/24 11:56 AM
Ideally you should create a new auth method for their SSO provider, and then once that's done, you can use the "authenticate" step (either in the welcome intent, or in another intent). Once the user is on the university website, the bot will be like "ok sign in first", and that will prompt them to sign in with their SSO provider, then move forward. - Mark Sayers Mon 9/23/24 12:01 PM