The ProxySG appliance can report on the email address of an authenticated SAML or IWA Direct user. This allows you to include the email address in:
- HTTP/S requests to the Elastica Cloud Access Security Broker (CASB) Gateway
- Access log formats, using the new field x-cs-user-email-address
- Exception pages and policy, using the new $(user.email_address) substitution variable
Note: To use CASB integration with SGOS, you require the CASB Audit service.
To send the email address in requests to the CASB service, use policy such as the following:
; specifies the label for the action
<proxy>
action.set_email_address_header(yes)
; defines the action to report on the email address of authenticated user
define action set_email_address_header
set(request.x_header.X-User-Email-Address, "$(user.email_address)")
endFor unsupported authentication realms, the field returns an empty string.
The following CLI subcommands were added for IWA Direct:
#(config iwa-direct realm_name)email-address enable Enable the feature to report on the user's email address. Use in conjunction with the
email-attribute subcommand.
#(config iwa-direct realm_name)email-attribute attribute Specifies the attribute that represents the user's email address. Enable retrieval of this attribute with the
email-address enable subcommand.
The following CLI subcommand was added for SAML:
#(config saml realm_name)email-address-attribute attribute Specifies the attribute that represents the user's email address and retrieves the value of the attribute.
Note: Map the SAML email address attribute to the relevant field on the IDP. For example, if your IDP is Shibboleth, map the
emailAddress attribute to the
mail field.