Skip to main content
Skip table of contents

Migration of authentication providers and SSO to port 443

This guide outlines the steps required to migrate your Single Sign-On (SSO) and authentication provider configurations to port 443. Alternatively, you can set it up in a way to keep port 8443 working.

  • If you need the authentication working via both the 8443 port and the 443 port, do not update your existing Redirect URLs. Just add a new HTTPS URL without the port specified to the list of Redirect URLs for your authentication provider. The result will be that in the values for the Redirect URL, you will have two records for each callback - one with the old port e.g.:  https://<domain>:8443/<callback> and one without port number: https://<domain>/<callback>.
  • If you wish to only use port 443, update your existing Redirect URLs by removing port 8443.

We do not recommend using Redirect URLs with an explicitly specified port 443, as some authentication providers may check for the presence of this port, and most web browsers omit this standard HTTPS port after accessing a web address.

Microsoft Entra ID

OAuth 2.0 and OIDC configuration

The general process for migrating Microsoft Entra ID configurations for OAuth 2.0 and OpenID Connect (OIDC), as well as the creation of applications in Azure, is similar, as both protocols are built on the same foundation. For more details, see  Add a custom app in Microsoft Entra ID and Microsoft Entra authentication.

  1. Log in to Microsoft Entra Admin Center as an administrator.
  2. Navigate to App registrations. Find and select the application you wish to update.

  3. Click Authentication Settings. In your app registration overview, click Authentication in the left menu.

  4. In the Redirect URIs section, scroll down to Redirect URIs.

  5. Update the Redirect URI. You’ll see a list of current Redirect URIs that are configured to handle authentication responses.

    • Locate URIs that reference port 8443 and depending on your use case, either remove the 8443 port, or add a new URI record as follows: https://<domain>/<callback>.

    • The domain should be the same as the one of the SAFEQ Cloud Web UI URL. For example, if your SAFEQ Cloud Web UI URL is  https://print.acme.com:8443/some/callback,the new value should be:  https://print.acme.com/some/callback
  6. Save and test your changes.

SAML configuration

To migrate SAML Single Sign-On configuration in Microsoft Entra ID, perform the following steps. For more details about Microsoft Entra, see Microsoft Entra Single Sign-On.

  1. Log in to Microsoft Entra Admin Center as an administrator.
  2. Go to Enterprise applications > All applications. Find and select the application you wish to update. You can use the search bar to find and select the application for which you need to update the SAML SSO settings.

  3. Go to the Single Sign-On Settings. Within your selected application, click Single sign-on in the left menu. This will open the SAML-based SSO configuration page.

  4. Update the Identifier (Entity ID): https://<domain_name_that_has_saml_configured>/. Change  SSO issuer ID optional parameter in Single sign-on authentication settings in your account to match this value if it is filled in. 

    SAFEQ Cloud Client with OAuth2 login will use a port based on connection to SAFEQ Cloud, i.e. either 8443 or standard HTTPS port 443. To make both ports work, you can either:

    • have two URIs in Entity ID, one without the port, i.e.  https://<domain_name_that_has_saml_configured> and one with port specified, i.e. https://<domain_name_that_has_saml_configured>:8443/
    • or specify the SSO issuer ID optional parameter in the Single sign-on authentication settings in your account to match the URI specified in Entity ID, e.g. https://<domain_name_that_has_saml_configured>/
  5. Update the Sign-On URL:  https://<domain_name_that_has_saml_configured>/assertion/saml
  6. Update the Reply URL : https://<domain_name_that_has_saml_configured>/assertion/saml
  7. Save and test your changes.

Troubleshooting

OAuth2 authentication stops working in SAFEQ Cloud Client when used with Single sign-on: "Sorry, but we're having trouble signing you in."

You get the following message from Microsoft, saying "Application with identifier 'https://[domain_name]:443/' was not found in the directory...":

This can be caused by SAFEQ Cloud Client opening an authentication page with a different port than expected by the Microsoft Entra ID application for SAML SSO.

To fix this, you can either:

update Microsoft Entra ID application for SAML SSO:

  1. Navigate to Microsoft Entra Admin Center in your web browser and sign in with your administrator credentials.
  2. Select Enterprise applications and then select All applications. Find and select the application you wish to update. You can use the search bar to find and select the application for which you need to update the SAML SSO settings.
  3. Access Single Sign-On Settings. Within your selected application, click on Single sign-on in the left-hand menu. This will open the SAML-based SSO configuration page.
  4. In Identifier (Entity ID), depending on your use case, either remove port 8443 from the URI, or add a new record as follows: https://<domain_name_that_has_saml_configured>/.
  5. If you added a record, you will now have two URIs in Entity ID – one without the port specified (i.e. https://<domain_name_that_has_saml_configured>/ and one with port specified, i.e, https://<domain_name_that_has_saml_configured>:8443/).
  6. Save and test your changes.

or update Single sign-on authentication settings in your account:

  1. Log in to SAFEQ Cloud Web UI.
  2. Navigate to Authentication > Single sign-on.
  3. Specify the optional parameter SSO issuer ID to match the URI specified in Entity ID in your Microsoft Entra ID application for SAML SSO (e.g. https://<domain_name_that_has_saml_configured>/).
  4. Save and test your changes.

OAuth2 authentication stops working in SAFEQ Cloud Client when used with Microsoft Entra ID Customizable authentication: "Sorry, but we're having trouble signing you in."

You get the following message from Microsoft, saying "The redirect URI 'https://[domain_name]/callback/oidc-login' specified in the request does not match the redirect URIs configured for the application...":

This can be caused by SAFEQ Cloud Client opening the authentication page with a different port than the Microsoft Entra ID application for OIDC expects.

To fix this, update the Microsoft Entra ID application for OIDC:

  1. Navigate to Microsoft Entra Admin Center in your web browser and sign in with your administrator credentials.
  2. Navigate to App registrations. Find and select the application you use for OIDC in your authentication provider. You can search for it by name if needed.
  3. Access Authentication Settings. In your app registration overview, click on "Authentication" in the left-hand menu.
  4. Locate the Redirect URIs Section. Scroll down to the Redirect URIs section.
  5. In Redirect URI, you’ll see a list of current Redirect URIs that are configured to handle authentication responses.
  6. Depending on your use case, either remove the 8443 port from the URIs, or add new records as follows: https://<account-domain>/callback/oidc-login and https://<account-domain>/callback/acl (replace <account-domain> with other addresses you have configured for port 8443).
  7. If you added new records, you will now have 4 addresses in total (two with port 8443 and two without port specified).
  8. Save and test your changes.

Okta

OIDC configuration

To migrate OIDC Okta to port 443, perform the following steps. For more details about Okta, see OKTA Authentication.

  1. Log in to the Okta Admin Console as administrator.
  2. Navigate to Applications. Find and select the application for which you need to update the redirect URLs.
  3. In the application settings, go to the General tab and click Edit.
  4. In the Sign-in redirect URIs section, depending on your use case, either remove the 8443 port number from the existing records, or add new URI records as follows: https://<domain>/callback/oidc-login and https://<domain>/callback/acl.
  5. Save and test your changes 

SAML configuration

To migrate SAML Single Sign-On in Okta to port 443, perform the following steps. For more details about Okta, see Okta Single Sign-On / Logout.

  1. Log in to the Okta Admin Console as administrator.
  2. Navigate to Applications. Find and select the application for which you need to update the SAML SSO settings.
  3. Locate the Single Sign-On URL and depending on your use case, either remove the 8443 port number from the existing URL or add a new URI value as follows: https://<account-domain>/assertion/saml.
  4. Update the Audience URI (SP Entity ID). Change the SSO issuer ID optional parameter in Single sign-on authentication settings in your account to match this value if it is filled in. 
  5. Review and update any additional URLs, such as Logout URL, in case they contain port 8443.
  6. Save and test your changes.

Troubleshooting

OAuth2 authentication stops working in SAFEQ Cloud Client when used with Okta Customizable OIDC authentication

You get the following message from Okta saying: "The 'redirect_uri' parameter must be a Login redirect URI in the client app settings...":

This can be caused by SAFEQ Cloud Client opening the authentication page with a different port than the Okta application for OIDC expects.

To fix this, update Okta application for OIDC:

  1. Access the Okta Admin Console and log in with your administrator credentials.
  2. Navigate to Applications, find and select the application for which you need to update the redirect URLs.
  3. In the application settings, go to the General tab and click Edit.
  4. In the Sign-in redirect URIs, add https://<account-domain>/callback/oidc-login and https://<account-domain>/callback/acl (replace <account-domain> with other addresses you have configured for port 8443)
  5. You should now have 4 addresses in total (two with port 8443 and two without port number specified).
  6. You can add more addresses in Configure SAML settings > SAML Settings > show Advanced Settings > Other Requestable SSO URLs.
  7. Save and test your changes.

PingId

OAuth 2.0 configuration

To migrate OAuth 2.0 PingId Single Sign-On to port 443, perform the following steps. For more details about PingId, see PingID Single Sign-On and Add a custom app in the Ping identity platform.

  1. Log in to the PingID Admin Console as administrator.
  2. In the main menu, click Applications.
  3. Select the OAuth2 Worker that you need to update.
  4. In the OAuth2 Worker settings, go to Redirect URIs.
  5. Locate the URI that reference port 8443 and depending on your use case, either remove the 8443 port number from the existing URIs, or add new one as follows: https://<account-domain>/callback/ping.
  6. Save your changes

SAML configuration

To migrate SAML PingId Single Sign-On to port 443, perform the following steps. For more details about PingId, see PingID Single Sign-On.

  1. Log in to the PingID Admin Console as administrator.
  2. In the main menu, click Applications.
  3. Select the specific application for which you need to update the SAML SSO settings.
  4. In the selected application, go to Configuration settings.
  5. In the Assertion Consumer Service (ACS) URL, either remove the 8443 port or add a new record as follows: https://<account-domain>/assertion/saml. 
  6. Update Entity ID - change the SSO issuer ID optional parameter in Single sign-on authentication settings in your account to match this value if it is filled in.
  7. Update any other relevant URLs (e.g., Single Logout URL) - if they include the port number, remove it.
  8. Save your changes
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close