We are implementing delegated auth between Kong Gateway and IRIS. Kong is correctly configured to forward JWT authenticated requests with consumer headers (X-Consumer-Username, etc.) to IRIS, but the ZAUTHENTICATE routine (deployed in the %SYS namespace) never executes, leaving ZW ^ZAUTHLOG empty despite successful header delivery.

401 errors response:
...
* Request completely sent off
< HTTP/1.1 401 Unauthorized
< Content-Type: text/html; charset=utf-8
< Content-Length: 0
< Connection: keep-alive
< Date: Fri, 02 Jan 2026 16:03:48 GMT
< CACHE-CONTROL: no-cache
< EXPIRES: Thu, 29 Oct 1998 17:04:19 GMT
< PRAGMA: no-cache
< Strict-Transport-Security: max-age=31536000; includeSubDomains
< Server: kong/3.11.0.3-enterprise-edition
< X-Kong-Upstream-Latency: 17
< X-Kong-Proxy-Latency: 1
< Via: 1.1 kong/3.11.0.3-enterprise-edition
< X-Kong-Request-Id: d1e1be43c3b00050672d105fb285c519
< 
* Connection #0 to host kong.dev.azure.asmodee.com:443 left intact
 

ZAUTHENTICATE code:

ZAUTHENTICATE(ServiceName, Namespace, Username, Password, Credentials, Properties) PUBLIC {
    SET idx = $INCREMENT(^ZAUTHLOG)
    SET ^ZAUTHLOG(idx,"$H") = $H
    SET ^ZAUTHLOG(idx,"Service") = ServiceName
    SET ^ZAUTHLOG(idx,"Namespace") = Namespace
    SET kongConsumer = ""
    IF $ISOBJECT(%request) {
        SET kongConsumer = $GET(%request.CgiEnvs("HTTP_X_CONSUMER_USERNAME"))
    }
    SET ^ZAUTHLOG(idx,"Kong_Consumer_From_Header") = kongConsumer
    SET ^ZAUTHLOG(idx,"ServiceName_Received") = ServiceName
    IF kongConsumer="" {
        SET ^ZAUTHLOG(idx,"Result") = "REJECTED_NO_KONG_HEADER"
        QUIT $SYSTEM.Status.Error($$$InvalidUsernameOrPassword)
    }
    SET Username = "jarvis_proxy"
    SET ^ZAUTHLOG(idx,"IRIS_Username") = Username
    SET ^ZAUTHLOG(idx,"Result") = "AUTHENTICATED"
    SET Properties("Username") = Username
    QUIT $SYSTEM.Status.OK()
}
 

Troubleshooting Done:

• AutheEnabled set to 8192 (Delegated, Bit 13 per Security.Applications documentation).
• ZAUTHENTICATE routine compiled with Resource Required parameter.
• Headers verified reaching IRIS (Web Gateway logs).
• Kong request-transformer plugin is working correctly.
• Manual testing shows routine executes, but delegated requests don't trigger it.
• We also tested delegated authentication by calling IRIS directly (bypassing Kong) with pre-set headers; ZAUTHENTICATE still doesn't trigger. Unauthenticated and Password auth methods work well.

Does ZAUTHENTICATE require specific conditions to execute (session state, pre-auth check)? What am I missing ?
Thank you for any help !