Can the ProxySG perform split authorization?
search cancel

Can the ProxySG perform split authorization?


Article ID: 171770


Updated On:


ProxySG Software - SGOS


Split authorization is the ability to use an LDAP realm in conjunction with an IWA realm to provide more control over a user/group based on attributes provided by the LDAP server.

As an example a customer may set up authentication via an IWA realm and then create policy leveraging a specific LDAP attribute to authorize, or not, a users access to a specific site.

Note that this feature can only be activated via the CLI and the policy it uses can only be created in CPL, ie there is currently no GUI or VPM support for this feature See the SGOS 6.7 Content Policy Language Reference for more details



As of SGOS 6.7.2 customers now have the ability to use split authorization in conjunction with IWA-Direct and LDAP realms, please note that IWA-BCAAA realms are not supported.


An example setup might be as follows

  1. Create IWA-Direct Realm
  2. Create LDAP realm
  3. Add LDAP authorization to IWA-Direct realm
  4. Use new policy condition"user.authorization_name="  to test the user's LDAP DN.


Example config (CLI only)

SG#(config iwa-direct IWA_DIRECT)authorization ?

realm-name                   Specify the realm for authorization

self                         Authorize with this realm

SG#(config iwa-direct IWA_DIRECT)authorization realm-name AD_LDAP


Sample Policy

authenticate(IWA_DIRECT) authenticate.force(no) authenticate.mode(auto)


realm=IWA_DIRECT user.authorization_name.suffix="OU=InternetUsers,DC=customer,DC=domain,DC=com" url.category=("Auctions") Deny