The group an authenticated user belongs to is not filled in the X-Authenticated-Groups in ICAP, or cs-auth-group in Access Log

book

Article ID: 171393

calendar_today

Updated On:

Products

Advanced Secure Gateway Software - ASG ProxySG Software - SGOS

Issue/Introduction

Web Authentication Layer is configured, users are authenticated, however the group information is missing from X-Authenticated-Groups in ICAP, or cs-auth-group in Access Log.

Cause

The way authentication works on the proxy is that group information for an authenticated user is unknown until its needed. The proxy will collect the user's group information when a group based policy needs to be processed.

When no group information is needed for matching a policy, proxy does not have the info to fill in the X-Authenticated-Groups in ICAP, or cs-auth-group in Access Log.

If a policy containing a group the user belongs to is processed then that group information is sent in ICAP or Access Log.

 

Resolution

Extract group information for an authenticated user:

1. Create a new Web Access Layer
2. Source = the group the user belongs to
3. Action = none.
 

[Caveat: ProxySG queries authentication server for getting the group information, it can affect the ProxySG performance. Perform with caution!]