The following IdPs are working with Dev Portal and NGINX Plus for the /userinfo endpoint.
Amazon Cognito
Auth0
Azure AD
Keycloak
Okta
OneLogin
But, the /userinfo endpoint isn't working with Ping Identity.
Root Cause:
Server Name Indication (SNI) is an extension for the TLS protocol (formerly known as the SSL protocol), which is used in HTTPS.
It allows the server to safely host multiple TLS Certificates for multiple sites, all under a single IP address.
It's included in the TLS/SSL handshake process in order to ensure that client devices are able to see the correct SSL certificate for the website they are trying to reach.
It adds the hostname of the server (website) in the TLS handshake as an extension in the message.
PingIdentity checks the hostname so that proxy_ssl_server_name on must be added before proxy_pass $oidc_userinfo_endpoint.
AC:
Enable proxy_ssl_server_name.
location = /userinfo {
:
proxy_ssl_server_name on; # For SNI to the IdP
proxy_set_header Authorization "Bearer $access_token";
proxy_pass $oidc_userinfo_endpoint;
:
}
Comparability Test w/ 7 IDPs to make sure that it supports all IDPs as the following check list.
Issues:
The following IdPs are working with Dev Portal and NGINX Plus for the
/userinfoendpoint.But, the
/userinfoendpoint isn't working withPing Identity.Root Cause:
Server Name Indication (SNI)is an extension for the TLS protocol (formerly known as the SSL protocol), which is used in HTTPS.PingIdentitychecks the hostname so thatproxy_ssl_server_name onmust be added beforeproxy_pass $oidc_userinfo_endpoint.AC:
proxy_ssl_server_name.