I have deployed Kong OIDC Plugin (on K8S) integrating with a Siteminder IDP. It happens that the IDP dos not return the ID Token with the expected claims (ex. user.fullName, user.email, etc…)
Does anybody know how should I configure the Kong OIDC Plugin, so that it could call a userinfo Endpoint exposed by the IDP and generate the x-userinfo header before sending it to the upstream system?
I do not see any option such as userinfo_endpoint in the OpenID Connect Plugin configuration.
https://docs.konghq.com/hub/kong-inc/openid-connect/#configsearch_user_info should allow you to handle that. However, you may need to request additional claims to get those fields–if the IDP doesn’t send them in the ID token with your current set, it likely will not instead provide them in userinfo responses.
You shouldn’t need to configure the userinfo endpoint, it’s normally exposed in discovery information.
Yes indeed, with OKTA, I do not need to specify the userinfo endoint and it works perfectly. But with another IDP (CA Siteminder) somehow the autorization, the token, the userinfo endoipoints are not returned in the discovery invocation. That is why I have to set the “serach_user_info” flag to “true”.
However, event with that it looks like the x-userinfo argument is not present in the Header.
Do you know whether Kong OIDC has been tested against CA Siteminder IDP ?
It likely hasn’t been tested against if it isn’t already listed under https://docs.konghq.com/hub/kong-inc/openid-connect/#compatibility
You may want to try filing a ticket through http://support.konghq.com/ to ask–it’s possible someone’s aware of another customer that has used that specific IdP with the OIDC plugin previously and knows what’s required, and/or the support team may be able to help with a more in-depth review of Siteminder’s capabilities vis-a-vis the plugin’s.
Thanks again for your insights.
I actually made it work.
So you can consider that the Kong OIDC plugin works with Siteminder as well.
Thanks again for your help and advices.