Report on the email address of an authenticated SAML or IWA-Direct user

book

Article ID: 169260

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

The ProxySG appliance can report on the email address of an authenticated SAML or IWA Direct user. This allows you to include the email address in:
  • HTTP/S requests to the Elastica Cloud Access Security Broker (CASB) Gateway
  • Access log formats, using the new field x-cs-user-email-address
  • Exception pages and policy, using the new $(user.email_address) substitution variable
Note: To use CASB integration with SGOS, you require the CASB Audit service.

To send the email address in requests to the CASB service, use policy such as the following:

; specifies the label for the action
<proxy>
      action.set_email_address_header(yes)
 
; defines the action to report on the email address of authenticated user
define action set_email_address_header
          set(request.x_header.X-User-Email-Address, "$(user.email_address)")
end


For unsupported authentication realms, the field returns an empty string.

The following CLI subcommands were added for IWA Direct:

#(config iwa-direct realm_name)email-address enable
     Enable the feature to report on the user's email address. Use in conjunction with the email-attribute subcommand.

#(config iwa-direct realm_name)email-attribute attribute
     Specifies the attribute that represents the user's email address.  Enable retrieval of this attribute with the email-address enable subcommand.

The following CLI subcommand was added for SAML:

#(config saml realm_name)email-address-attribute attribute
     Specifies the attribute that represents the user's email address and retrieves the value of the attribute. 

Note:  Map the SAML email address attribute to the relevant field on the IDP. For example, if your IDP is Shibboleth, map the emailAddress attribute to the mail field.