OIDC and email address

[foleyjohnm]

Hello Small Step community,

I am working on trying to setup a proof of concept using Small Step CA to provision user SSH certificates. We have a pretty large environment, and coupling our existing SSO to Small Step to issue SSH certs would really be a big improvement for us.

We are currently using Idaptive, which is now Cyberark.

The issue I am seeing is that the token being sent over from Cyberark contains a UPN in the 'unique_name' field-

Authorization Response: {"access_token":"********","token_type":"Bearer","responseType":"id_token, token","id_token":"{\"iss\":null,\"sub\":\"xxxxxxxx-xxxx-xxxx-xxxxxxxxxxxx|xxxxxxxxx\",\"aud\":\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx_xxxxxxx\",\"iat\":1665061538,\"exp\":1665147938,\"unique_name\":\"jfol@mydomain.com\",\"at_hash\":\"********\",\"nonce\":\"\"}"} UserInfo Response: {"sub":"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx_xxxxxxx","username":"jfol"}

The error from Small Step CA: "error="authority.Authorize: authority.authorizeSign: oidc.AuthorizeSign: oidc.AuthorizeToken: validatePayload: failed to validate oidc token payload: email is not allowed""

Is there any workaround for this at all or am just hitting a hardline from my IDP?

[tashian]

Hi! You may just need to allow your domain name in your CA provisioner configuration. See the domains option in the OIDC provisioner documentation for more. If you want, you can access other custom claims from the token and use them in certificates, using CA templates.

Also, for a more complete IdP integration (with SCIM syncing), you might benefit from Smallstep SSH. Feel free to reach out via our chat box on the bottom right of that page, if you want to learn more or get a demo of it.

[foleyjohnm]

Thanks @tashian! That seemed to get me pointed in the right direction. I have a functional step CA!