Teams Application

Hi there,

I was wondering if there is anybody here that successfully deployed the teams application for IIQ. After getting everything setup inbound requests to the service component would always fail with:

error: Host and port for request does not match this host.

Ive tried swapping the hostnames around in the config, moved to IP addresses etc. Even went as far as putting an nginx as MITM proxy in front of the component to verify the host header is passed correctly. All to no avail.

Therefor I was wondering if anybody was able to deploy this component successfully. And if so, what kind of Web Proxy were you using for the bot service?

Regards Felix

Hi @Felix_Witt - can you post your config.json?

Hi,

you mean the .env file? IDK if that makes a lot of sense I would have to redact most of the properties anyways. I take it that you have the integration running?

Regards Felix

How do you have the host/port defined? Do you have https"// in front of the hostname? Sometimes this can cause that error.

I have them set like so:

The public domain name of where you host your application - this needs to be DNS accessible - not IP

PUBLIC_HOSTNAME=teams.myidentity.XX


LOCAL_HOSTNAME=teams.myidentity.XX


PUBLIC_PORT=443
PRIVATE_PORT=3988

But i also tried the hostname or the IPs before.

The service comes up like so but still doesnt like the requests:

2025-09-26 13:24:11: info:      \*\*\* Sailpoint | Teams (public) listening to https://10.XX.6:3978
2025-09-26 13:24:11: info:      \*\*\* Sailpoint | Teams (private) listening to https://10.XX.6:3988
2025-09-26 13:25:16: debug:     Message received by the public server.
2025-09-26 13:25:16: trace:     calling adapter.processActivity...
2025-09-26 13:25:16: trace:     Accessing translation file error.json for language code en-us. Family language code is en.
2025-09-26 13:25:16: trace:     Using preferred language file which cannot be overridden.
2025-09-26 13:25:16: error:     Host and port for request does not match this host.
2025-09-26 13:25:16: trace:     Accessing translation file error.json for language code en-us. Family language code is en.
2025-09-26 13:25:16: trace:     Using preferred language file which cannot be overridden.
2025-09-26 13:25:16: error:     bot onTurnError: Error: Host and port for request does not match this host.

If you have successfully deployed this, what kind of reverse proxy are you using?

@Felix_Witt Are you using any proxy server in between? or it’s a direct integration between IIQ<>Teams? Can you also confirm the port number. Could be private_port is causing the issue.

NGINX, unfortunately I don’t have access to the env anymore. Looks like it may be passing the host port combo in a way that is not acceptable. Can you remove the provite port setting and test?

Hi, there is an azure application gateway between the internet and this teams bot service. The connection is definitely on the public port.

Do you have a working instance by any chance?

Regards Felix

I tried putting a nginx as man in the middle proxy in between there. I mean i could try to fiddle around with the headers a bit. But it would be great to have a working instance as reference.

This issue is bugging the customer for a while already and I waisted quite some hours with the support. And professional services wasn’t much help either.

@Felix_Witt No i don’t have any working instance. Is it possible for you enable logs at your azure application gateway? You need to make sure your request and host details will pass as is via gateway to Teams server.

What about certificates ?

Does cert for the fqdn changed recently?

The certificate is fine otherwise the connection would not work at all. And no it never worked.
I have verified that the host header matches whats configured in the env file.

So far I feel like no one is using this component and everyone is just guessing around. And that includes the Support as well as Professional services.

According to our admin for the gateway its not possible.
But i went a head and added a nginx as MITM to ensure that the header is sent correctly.

I’m trying to configure it right now. It’s a lot of clicks between Entra and IIQ. Really complex integration so the issue can stay in different places.

Are you sure the customer is not using the APP proxy as suggested in the documentation ?

Yep that whole setup is quite cumbersome.
As far as I understand the documentation, the APP proxy is only intended for the IIQ fronted. This is something that we have already configured like most customers.

Also the service application is really keen on managing its own certificates. Which was a pain to setup and requires re-encrypting the traffic in our case, since the App Gateway will terminate the inbound SSL. IMHO it should be totally fine to run the service in an SSL offloading scenario. Meaning the service should start without certificates and SSL if its configured behind a proxy. But that’s a different story.

@Felix_Witt Looks like you might want to engage Sailpoint Support for this. Have you already tried that?

Sure, Support, CSM and professional services all without success.

Interesting. Then we only need to figure out how to make it work.

What does your Authentication and Network team is saying about this? Can you configure it without SSL/certificates for proxy apps?

They don’t have any insights as well. And I cant run it without having SSL configured on the gateway. Thats why I was wondering what kind of Setup other people are using. But so far I feel like no one is using that integration.