Can the ProxySG perform split authorization?

book

Article ID: 171770

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

Split authorization is the ability to use an LDAP realm in conjunction with an IWA realm to provide more control over a user/group based on attributes provided by the LDAP server.

As an example a customer may set up authentication via an IWA realm and then create policy leveraging a specific LDAP attribute to authorize, or not, a users access to a specific site.

Note that this feature can only be activated via the CLI and the policy it uses can only be created in CPL, ie there is currently no GUI or VPM support for this feature See the SGOS 6.7 Content Policy Language Reference for more details

 

Environment

As of SGOS 6.7.2 customers now have the ability to use split authorization in conjunction with IWA-Direct and LDAP realms, please note that IWA-BCAAA realms are not supported.

Resolution

An example setup might be as follows

  1. Create IWA-Direct Realm
  2. Create LDAP realm
  3. Add LDAP authorization to IWA-Direct realm
  4. Use new policy condition"user.authorization_name="  to test the user's LDAP DN.

 

Example config (CLI only)

SG#(config iwa-direct IWA_DIRECT)authorization ?

realm-name                   Specify the realm for authorization

self                         Authorize with this realm

SG#(config iwa-direct IWA_DIRECT)authorization realm-name AD_LDAP

 

Sample Policy

authenticate(IWA_DIRECT) authenticate.force(no) authenticate.mode(auto)

              

realm=IWA_DIRECT user.authorization_name.suffix="OU=InternetUsers,DC=customer,DC=domain,DC=com" url.category=("Auctions") Deny