Web Authentication Layer is configured, users are authenticated, however the group information is missing from X-Authenticated-Groups in ICAP, or cs-auth-group in Access Log.
The way authentication works on the proxy is that group information for an authenticated user is unknown until its needed. The proxy will collect the user's group information when a group based policy needs to be processed.
When no group information is needed for matching a policy, proxy does not have the info to fill in the X-Authenticated-Groups in ICAP, or cs-auth-group in Access Log.
If a policy containing a group the user belongs to is processed then that group information is sent in ICAP or Access Log.
Extract group information for an authenticated user:
1. Create a new Web Access Layer
2. Source = the group the user belongs to
3. Action = none.
[Caveat: ProxySG queries authentication server for getting the group information, it can affect the ProxySG performance. Perform with caution!]