An Edge SWG (ProxySG) appliance has multiple authentication realms configured and groups do not function correctly for one or more of the realms.

The following behaviors are observed:

• the policy is not enforced for some groups
• the appliance does not include all of the realm's groups used in policy within the Groups of Interest when querying an authorization server
• a user's credential on the appliance does not include a group, but the authorization server has them as a member of the group

Release : SGOS 7.3.3.1 - 7.3.13.1

Groups with identical names are only considered for one realm.

For example, the below policy authenticates users to one of two realms and both realms rely on a group named Users.

The following behavior occurs:

• Users authenticated to realm1 will be considered a member of Users and the policy will function as expected.
• Users authenticated to realm2 will not be considered for membership of the group Users and the policy will not function as expected for these users.

define condition GROUP1
    realm=realm1 group=Users
end

define condition GROUP2
    realm=realm2 group=Users
end

<Proxy>
    client.address=10.1.1.0/24 authenticate(realm1) authenticate.mode(proxy)
    client.address=10.1.2.0/24 authenticate(realm2) authenticate.mode(proxy)

<Proxy>
    ALLOW condition=GROUP1
    ALLOW condition=GROUP2

Software Fix

Addressed in SGOS 7.3.13.2 and later.

Workaround

Ensure the group name utilized in the policy definition is unique. For realms that are associated with a domain, the domain qualification can be added to make the group unique.

define condition GROUP1
    realm=realm1 group=Domain1\Users
end

define condition GROUP2
    realm=realm2 group=Domain2\Users
end