OIDC UserInfo endpoint does not error but fails to return Sub or Claims

Version Affected:  All

Description:  

OIDC UserInfo endpoint does not error but fails to return Sub or Claims

Cause:  

The UserInfo endpoint uses the Sub from the Access Token to lookup the User in your Datastore. 

If you have a Sub using anything other than Authenticated User ID, you need to make sure your search filter includes that attribute. 

Resolution:  

1. Open the Admin Console and navigate to the Post Auth tab of the OIDC realm
2. Scroll down to the claims and check the Sub mapping
3. Make a note of which attribute the Sub is mapped to and switch to your Datastore
4. Edit the Search filter so it includes the attribute as an OR match. 

For example, if Sub is mapped to AuxID1 and AuxID1 is set to Department, you'd need to edit your search filter from:

(&(SamAccountName=%v)(ObjectClass=*))

to

(&(|(SamAccountName=%v)(Department=%v))(ObjectClass=User))

Special Considerations:

We've seen this same issue generate a 200 response with no claims in it but we've also seen it throw a 401 "Invalid Client" error. Both are fixed with the resolution listed above. 

SecureAuth Knowledge Base Articles provide information based on specific use cases and may not apply to all appliances or configurations. Be advised that these instructions could cause harm to the environment if not followed correctly or if they do not apply to the current use case.

Customers are responsible for their own due diligence prior to utilizing this information and agree that SecureAuth is not liable for any issues caused by misconfiguration directly or indirectly related to SecureAuth products.