IRIS Delegated Authentication Not Triggering ZAUTHENTICATE with Kong API Gateway

Question

Question

We are implementing delegated auth between Kong Gateway and IRIS. Kong is correctly configured to forward JWT authenticated requests with consumer headers (X-Consumer-Username, etc.) to IRIS, but the ZAUTHENTICATE routine (deployed in the %SYS namespace) never executes, leaving ZW ^ZAUTHLOG empty despite successful header delivery.

401 errors response:
...
* Request completely sent off
< HTTP/1.1 401 Unauthorized
< Content-Type: text/html; charset=utf-8
< Content-Length: 0
< Connection: keep-alive
< Date: Fri, 02 Jan 2026 16:03:48 GMT
< CACHE-CONTROL: no-cache
< EXPIRES: Thu, 29 Oct 1998 17:04:19 GMT
< PRAGMA: no-cache
< Strict-Transport-Security: max-age=31536000; includeSubDomains
< Server: kong/3.11.0.3-enterprise-edition
< X-Kong-Upstream-Latency: 17
< X-Kong-Proxy-Latency: 1
< Via: 1.1 kong/3.11.0.3-enterprise-edition
< X-Kong-Request-Id: d1e1be43c3b00050672d105fb285c519
<
* Connection #0 to host kong.dev.azure.asmodee.com:443 left intact

ZAUTHENTICATE code:

ZAUTHENTICATE(ServiceName, Namespace, Username, Password, Credentials, Properties) PUBLIC {
SET idx = $INCREMENT(^ZAUTHLOG)
SET ^ZAUTHLOG(idx,"$H") = $H
SET ^ZAUTHLOG(idx,"Service") = ServiceName
SET ^ZAUTHLOG(idx,"Namespace") = Namespace
SET kongConsumer = ""
IF $ISOBJECT(%request) {
SET kongConsumer = $GET(%request.CgiEnvs("HTTP_X_CONSUMER_USERNAME"))
}
SET ^ZAUTHLOG(idx,"Kong_Consumer_From_Header") = kongConsumer
SET ^ZAUTHLOG(idx,"ServiceName_Received") = ServiceName
IF kongConsumer="" {
SET ^ZAUTHLOG(idx,"Result") = "REJECTED_NO_KONG_HEADER"
QUIT $SYSTEM.Status.Error($$$InvalidUsernameOrPassword)
}
SET Username = "jarvis_proxy"
SET ^ZAUTHLOG(idx,"IRIS_Username") = Username
SET ^ZAUTHLOG(idx,"Result") = "AUTHENTICATED"
SET Properties("Username") = Username
QUIT $SYSTEM.Status.OK()
}

Troubleshooting Done:

AutheEnabled set to 8192 (Delegated, Bit 13 per Security.Applications documentation).
ZAUTHENTICATE routine compiled with Resource Required parameter.
Headers verified reaching IRIS (Web Gateway logs).
Kong request-transformer plugin is working correctly.
Manual testing shows routine executes, but delegated requests don't trigger it.
We also tested delegated authentication by calling IRIS directly (bypassing Kong) with pre-set headers; ZAUTHENTICATE still doesn't trigger. Unauthenticated and Password auth methods work well.

Does ZAUTHENTICATE require specific conditions to execute (session state, pre-auth check)? What am I missing ?
Thank you for any help !

Product version: IRIS 2025.2

$ZV: IRIS for UNIX (Ubuntu Server LTS for x86-64 Containers) 2025.2 (Build 227U) Thu Jul 10 2025 11:09:38 EDT

Discussion (5)2

Log in or sign up to continue

score 0 · Answer 1 · 2026-01-05T08:26:52-05:00

Enrico Parisi · Jan 5

Is delegated authentication enabled in the Web Application used/called?

0 0

score 0 · Answer 2 · 2026-01-05T08:39:57-05:00

Hi Enrico !

Yes, confirmed in Web Application /ws/jarvis:
- AutheEnabled = 8192 (Delegated, Bit 13)
- ZAUTHENTICATE compiled in %SYS with "Resource Required"
- System-wide: "Allow Delegated authentication" + "Allow O/S auth with Delegated authorization" enabled

But ^ZAUTHLOG remains empty — routine never called, even direct IRIS calls (no Kong) return 401.

Any other system-level prerequisite missing?

score 0 · Answer 3 · 2026-01-05T09:24:43-05:00

Do the audit logs show any permission issues? (It may be necessary to enable all system events to understand if the problem is related to login, service permissions, resources, etc.)

score 0 · Answer 4 · 2026-01-05T13:31:59-05:00

I think that ^ZAUTHLOG cannot be set because the process executing the ZAUTHENTICATE code has no privilege/access to %SYS for writing. If you follow the @Lucas Fernandes suggestion to enable and check audit log you probably find a <PROTECT> error.

If you are using a test system (no production!), you can temporary add %All role to the CSPSystem user and try again.
Remember to remove the %All role after your debug the issue.

Note that before authentication the process running ZAUTHENTICATE has VERY limited capabilities (privileges).

In general I think the ZAUTHENTICATE should check if it's called for the purpose you are implementing, something like:

If ServiceName="%Service_WebGateway" {
	If $isobject($get(%request)) {
		If (%request.Application="/ws/jarvis") {
			
			; your code here
			
		}
	}
}

You may also need/want to assign a role to the user:
Set Properties("Roles")="YourRequiredRole"

score 0 · Answer 5 · 2026-01-06T03:28:21-05:00

Set Up Delegated Authentication

Have you enabled delegated authentication for services and applications, in particular for %Service_WebGateway?