Low Trust Deployment

This article provides an overview of the installation steps for a low trust deployment of TeamFolio as a SharePoint add-in.

Step 1: Register Low Trust Add-in

This step should be performed by you prior to deployment of the TeamFolio SharePoint add-in.

Before you can publish the TeamFolio add-in, it must first be registered with the SharePoint Online add-in management service. The TeamFolio low-trust add-in must be registered on the Microsoft SharePoint Online or SharePoint 2013 or SharePoint 2016 form on which the add-in is to be installed. The TeamFolio low-trust add-in requires environment specific configuration and therefore cannot be obtained through the SharePoint Store.

info

Registration is described in the following procedure via the appregnew.aspx page in your system You'll fin this located at:

https://SharePoint_website/_layouts/15/appregnew.aspx

To register the add-in

Go to the https://SharePoint_website/_layouts/15/appregnew.aspx page. This is the SPHostUrl field in the example table below
Select the ‘Generate’ buttons to generate values for the add-in Client ID and Client Secret.
Provide the base URL of the domain where the TeamFolio MVC Web Application will be hosted. This is the Add-in Domain. Do not include the protocol (HTTPS) in the domain, but you must include the port that the remote components will use for HTTPS requests if it is not 443 (e.g. teamfolio.mycompany.com or teamfolio.mycompany.com:4444).
Provide the redirect url of the domain where the TeamFolio MVC Web will be hosted. Include the protocol (HTTPS) in the domain, you must also include the port that the remote components will use for HTTPS requests if it is not 443 (e.g. https://teamfolio.mycompany.com or https://teamfolio.mycompany.com:4444).
Select ‘Create’. The information that you entered for the add-in will be displayed on the next page.

Copy-Paste the registration information into your configuration documentation that should include a table like the one below:

Property	Value
SPHostUrl	e.g. https://SharePoint_website/ or https://SharePoint_website/sites/XYZ
Client ID
Client Secret
Title
Add-in Domain
Redirect Url

Step 2: Register Low Trust Add-in Permissions

Before you can publish the TeamFolio add-in, it must also be authorised with the SharePoint Online add-in management service.

info

Authorisation is done on the page https://SharePoint_website-admin/_layouts/15/appinv.aspx as described in the following procedure.

To authorise the add-in:

Go to the https://SharePoint_website-admin/_layouts/15/appinv.aspx page.
Enter the client id generated in step 2.1 into the Client ID and click ‘Lookup’.
Provide the permissions xml as supplied by FidraSoft and click ‘OK’.

Step 3: Create the TeamFolio Database

This step should be performed by you prior to deployment of the TeamFolio SharePoint add-in.

The TeamFolio SharePoint add-in has been developed using Microsoft Entity Framework 6 Runtime. Using Entity Framework 6 allows the TeamFolio add-in to automatically update the target database over time to reflect the latest application schemas. Therefore, TeamFolio only requires a blank target database and a suitable connection string. On first run of the application, TeamFolio will generate the required schema in the target database and pre-populate all static data automatically.

To create a TeamFolio Azure SQL Server database (using the management tool of your choice):

Create a new sql server login account for TeamFolio.
Create a new, blank database.
Assign the sql server login to the newly created database with db_owner permissions.

Please note the following details for reference in your configuration documentation that should include a table like the one below:

Property	Value
Server
Database
Username
Password*	*It is likely your organisation will have existing protocols to be followed for storing and managing passwords.
ConnectionString

Step 4: Create TeamFolio Azure Web Application Service

To create the TeamFolio Azure Web Application Service:

Use Microsoft Azure Administration Portal to create a new Web Application Service. Please ensure to select an appropriate Resource Group, App Service Plan and Location.

Please note the Url for reference in your configuration documentation.

Step 5: Create the Azure App Registration

This step should be performed by you prior to deployment of the TeamFolio SharePoint add-in.

Using the Azure Active Directory App Registration panel – create a new App Registration.

Name: Choose a meaningful name to your organization e.g. ‘TeamFolio Production’
Supported Account Types: Single Organisation
RedirectUri: Use the url noted in step 4
Click ‘Register’ and make a note of the Application Client Id and Directory Tenant Id in the table below:

Authentication Settings

Under Implicit Grant – enable ‘ID Tokens’

Certificates and Secrets

Create an appropriate client secret and make a note in the table below:

API Permissions

Add the following delegated permissions:

Email
Offline_access
OpenId
Profile
User.Read
User.Read.All
User.ReadBasic.All
User.ReadWrite

Please note the following details for reference in your configuration documentation that should include a table like the one below:

Property	Value
Tenant Id
Application Id
Client secret

Step 6: Publish the TeamFolio Web Application

To publish the mvc web application:

Extract the mvc web application zip file into a local folder (e.g. C:\TeamFolio or C:\Temp\TeamFolio). This location will be required only temporarily. Copy the application configuration templates files from ‘App_Data\Config\Templates’ to the parent directory ‘App_Data\Config’. The auxiliary files contain all client-specific configuration options. By segregating this configuration from the primary release package, client-specific configuration is protected from change during update operations. Using Azure Web Application Service Advanced Tools – copy the contents of the local folder above to the ‘/site/wwwroot/’ folder of the Web Application Service.

Step 7: Configure the TeamFolio MVC Web Application

To configure the mvc web application:

Using Azure Application Settings – create a connection string named ‘TeamFolioDbContext’ and apply the connection string value obtained in step 2.3.
Using Azure Application Settings – select ‘Advanced Edit’ and add the following keys to the panel:

{
  "name": "aad:authority",
  "value": "https://login.microsoftonline.com/{0}/v2.0",
  "slotSetting": false
},
{
  "name": "aad:clientId",
  "value": "",
  "slotSetting": false
},
{
  "name": "aad:clientSecret",
  "value": "",
  "slotSetting": false
},
{
  "name": "aad:defaultGraphScopes",
  "value": "User.Read User.ReadWrite User.ReadBasic.All",
  "slotSetting": false
},
{
  "name": "aad:redirectUri",
  "value": "",
  "slotSetting": false
},
{
  "name": "aad:tenant",
  "value": "",
  "slotSetting": false
},
{
  "name": "dm:administrators",
  "value": "",
  "slotSetting": false
},
{
  "name": "dm:databaseInitialiserTimeout",
  "value": "600",
  "slotSetting": false
},
{
  "name": "dm:defaultLicenseDuration",
  "value": "",
  "slotSetting": false
},
{
  "name": "dm:defaultLicenseGuid",
  "value": "",
  "slotSetting": false
},
{
  "name": "dm:defaultLicenseName",
  "value": "",
  "slotSetting": false
},
{
  "name": "dm:defaultLicenseUserLimit",
  "value": "",
  "slotSetting": false
},
{
  "name": "dm:enableMultipleTenancy",
  "value": "false",
  "slotSetting": false
},
{
  "name": "dm:licensePrivateKey",
  "value": "",
  "slotSetting": false
},
{
  "name": "sp:clientId",
  "value": "",
  "slotSetting": false
},
{
  "name": "sp:clientSecret",
  "value": "",
  "slotSetting": false
},
{
  "name": "sp:clientSigningCertificateSerialNumber",
  "value": "",
  "slotSetting": false
},
{
  "name": "sp:hostUrl",
  "value": "",
  "slotSetting": false
},
{
  "name": "sp:issuerId",
  "value": "",
  "slotSetting": false
}

Using Azure Application Settings – edit the application setting named ‘aad:clientId’ and apply the application id obtained in Step 5.
Using Azure Application Settings – edit the application setting named ‘aad:clientSecret’ and apply the application client secret obtained in Step 5.
Using Azure Application Settings – edit the application setting named ‘aad:redirectUri’ and apply the url obtained in Step 4.
Using Azure Application Settings – edit the application setting named ‘aad:tenant’ and apply the tenant id obtained in Step 5.
Using Azure Application Settings – edit the application setting named ‘sp:clientId’ and apply the Client ID value obtained in Step 1.
Using Azure Application Settings – edit the application setting named ‘dm:administrators’ and enter the email addresses of any administrator accounts as a semi-colon ‘;’ delimited list. These accounts will always have full administrative permission within TeamFolio regardless of any group membership which might be configured within the application at a later date.
Using Azure Application Settings – edit the application setting named ‘sp:clientSecret’ and apply the Client Secret value obtained in Step 1.
Using Azure Application Settings – edit the app setting name: ‘sp:hostUrl’ and apply the SPHostUrl value obtained in Step 1.

Step 8: Upload and install the SharePoint Add-in

To upload and install the SharePoint Add-in:

Upload the TeamFolio SharePoint add-in package file to the add-in catalog. Install the add-in on any website within the same parent SharePoint web application that contains the add-in catalog.

Step 1: Register Low Trust Add-in​

To register the add-in​

Step 2: Register Low Trust Add-in Permissions​

Step 3: Create the TeamFolio Database​

Step 4: Create TeamFolio Azure Web Application Service​

Step 5: Create the Azure App Registration​

Authentication Settings​

Certificates and Secrets​

API Permissions​

Step 6: Publish the TeamFolio Web Application​

Step 7: Configure the TeamFolio MVC Web Application​

Step 8: Upload and install the SharePoint Add-in​