The ProxySG appliance can report on the email address of an authenticated SAML or IWA Direct user. This allows you to include the email address in:

• HTTP/S requests to the Elastica Cloud Access Security Broker (CASB) Gateway
• Access log formats, using the new field x-cs-user-email-address
• Exception pages and policy, using the new $(user.email_address) substitution variable

Note: To use CASB integration with SGOS, you require the CASB Audit service.

To send the email address in requests to the CASB service, use policy such as the following:

; specifies the label for the action
<proxy>
      action.set_email_address_header(yes)
 
; defines the action to report on the email address of authenticated user
define action set_email_address_header
          set(request.x_header.X-User-Email-Address, "$(user.email_address)")
end

For unsupported authentication realms, the field returns an empty string.

The following CLI subcommands were added for IWA Direct:

#(config iwa-direct realm_name)email-address enable
     Enable the feature to report on the user's email address. Use in conjunction with the email-attribute subcommand.

#(config iwa-direct realm_name)email-attribute attribute
     Specifies the attribute that represents the user's email address.  Enable retrieval of this attribute with the email-address enable subcommand.

The following CLI subcommand was added for SAML:

#(config saml realm_name)email-address-attribute attribute
     Specifies the attribute that represents the user's email address and retrieves the value of the attribute. 

Note:  Map the SAML email address attribute to the relevant field on the IDP. For example, if your IDP is Shibboleth, map the emailAddress attribute to the mail field.