Report on the email address of an authenticated SAML or IWA-Direct user
Article ID: 169260
Updated On:
Products
ProxySG Software - SGOS
Issue/Introduction
The ProxySG appliance can report on the email address of an authenticated SAML or IWA Direct user. This allows you to include the email address in:
To send the email address in requests to the CASB service, use policy such as the following:
; specifies the label for the action
<proxy>
action.set_email_address_header(yes)
; defines the action to report on the email address of authenticated user
define action set_email_address_header
set(request.x_header.X-User-Email-Address, "$(user.email_address)")
end
For unsupported authentication realms, the field returns an empty string.
The following CLI subcommands were added for IWA Direct:
#(config iwa-direct realm_name)email-address enable
Enable the feature to report on the user's email address. Use in conjunction with the email-attribute subcommand.
#(config iwa-direct realm_name)email-attribute attribute
Specifies the attribute that represents the user's email address. Enable retrieval of this attribute with the email-address enable subcommand.
The following CLI subcommand was added for SAML:
#(config saml realm_name)email-address-attribute attribute
Specifies the attribute that represents the user's email address and retrieves the value of the attribute.
Note: Map the SAML email address attribute to the relevant field on the IDP. For example, if your IDP is Shibboleth, map the emailAddress attribute to the mail field.
- HTTP/S requests to the Elastica Cloud Access Security Broker (CASB) Gateway
- Access log formats, using the new field x-cs-user-email-address
- Exception pages and policy, using the new $(user.email_address) substitution variable
To send the email address in requests to the CASB service, use policy such as the following:
; specifies the label for the action
<proxy>
action.set_email_address_header(yes)
; defines the action to report on the email address of authenticated user
define action set_email_address_header
set(request.x_header.X-User-Email-Address, "$(user.email_address)")
end
For unsupported authentication realms, the field returns an empty string.
The following CLI subcommands were added for IWA Direct:
#(config iwa-direct realm_name)email-address enable
Enable the feature to report on the user's email address. Use in conjunction with the email-attribute subcommand.
#(config iwa-direct realm_name)email-attribute attribute
Specifies the attribute that represents the user's email address. Enable retrieval of this attribute with the email-address enable subcommand.
The following CLI subcommand was added for SAML:
#(config saml realm_name)email-address-attribute attribute
Specifies the attribute that represents the user's email address and retrieves the value of the attribute.
Note: Map the SAML email address attribute to the relevant field on the IDP. For example, if your IDP is Shibboleth, map the emailAddress attribute to the mail field.
Feedback
Yes
No
Powered by
