Skip to Content
Technical Articles

Integrating Third Party Identity Providers With SAP Conversational AI

INTRODUCTION

When users interact with a chatbot in an enterprise environment they frequently require their identity to be confirmed before the actions they want done can be completed. Confirming a user’s identity can be done a number of different ways, ideally it should be done seamlessly before the user starts a session with the chatbot[see SAP Conversational AI Webchat]. However, sometimes this is not possible for logistical or technical reasons, and in that case, it will be necessary to confirm the user identity within the conversation itself, which is the topic of this blog.

SCOPE

There are numerous identity providers (IDPs) to choose from out there(Azure Active Directory, PingFederate, and G-Suite just to name a few) and they all offer API support for enterprise applications. For this blog we will be focusing on integrating the IDP component of Azure Active Directory(Azure AD) into a NodeJS application. This application in turn is communicating with the SAP Conversional AI platform.

STEP 1: THE NODEJS APPLICATION

The SAP Conversational AI chatbot communicates with a Nodejs application hosted on the SAP Cloud Foundry and there it processes/routes the incoming requests. Within this application there will need to be some logic that handles the incoming Oauth payload from the Azure AD IDP service.

This code is requesting an access token from the Azure IDP service and then querying the service with the name of the user we want to confirm. The code will look like so:

    app.all('/auth', async (req, res) => {

        authed = false;

        authcode = "";
        authcode = JSON.stringify(req.url);
        authcode = authcode.replace("\"/auth?code=", "");
        authcode = authcode.split("&");
        authcode = authcode[0];

        postData = querystring.stringify({
            grant_type: "authorization_code",
            code: authcode,
            redirect_uri: "{NodeJS URI}",
            client_id: "{ClientID}",
            client_secret: "{CLientSecret}"
        });

        const callGraph = () => {
            request.post({
                    url: 'https://login.microsoftonline.com/{Tenant}/oauth2/token',
                    headers: {
                        'Content-type': 'application/x-www-form-urlencoded'
                    },
                    body: postData
                },
                function(err, httpResponse, body) {
                    if (err) {
                        console.log(httpResponse);
                        console.log(err);
                    } else {
                        body = JSON.parse(body);
                        accessToken = body.access_token;
                        authed = true;
                        callGraphAPI();
                    };
                });
        };

        const callGraphAPI = () => {
            request.get({
                    url: 'https://graph.microsoft.com/v1.0/me',
                    headers: {
                        'Authorization': `${accessToken}`
                    },
                },
                function(err, httpResponse, body) {
                    console.log(body);
                    graphData = JSON.parse(body);
                    name = graphData.displayName;
                    email = graphData.mail;
                });
        };
        callGraph();
        res.sendFile(path.join(__dirname + '/auth.html'));
    });

 

STEP 2: AZURE SETUP

To utilize the Azure AD IDP service some configuration needs to be done on the Azure AD Tenant.

  • First navigate to azure.com and sign into your Microsoft account and navigate to the Active Directory panel:

  • Once there, navigate to the App Registration panel:

  • Next, create a new app registration and fill in the Name of the app(it can have any name) and then in the Redirect URI space fill in the URI where you want the Oauth payload to be sent(the NodeJS application in this case):

  • Next navigate to the App Permissions Panel and click Add a Permission:

  • Select the Microsoft Graph API and choose the level of access desired for the application:

 

STEP 3: SAP CONVERSATIONAL AI PLATFORM

Once all the previous steps have been completed, got to the SAP Conversational AI Platform, and create a new “Auth” skill with a button, update the below link with your personal tenant info and then embed the link into the button, like so:

 

https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize?

client_id={clientID}

&response_type=code

&redirect_uri={NodeJS URI}

&scope=graph.microsoft.com

 

CONCLUSION

Completing the above steps will result in the user being prompted with a button during the conversation which redirects them to a Microsoft login screen like this:

After the user has signed into the page an Oauth access token is sent to the Nodejs application which confirms that the user is indeed authorized to be talking with the bot, this guarantees that sensitive material and actions remain secure. This was done by integrating SAP Conversational AI with Microsoft’s Azure AD but the principals could be applied to almost any other third party IDP that uses Oauth 2.0.

Security and automation are both increasingly important fields in the world of IT so it is paramount that developers find innovative ways to make the two concepts work in harmony. Combining the 24/7 hyper-efficiency of SAP Conversational AI with the proven reliability of Azure AD means that you can automate more complex and delicate tasks, saving money and placating the security team.

 

1 Comment
You must be Logged on to comment or reply to a post.