Use Email to Authenticate CASB GW for Proxy Forwarding
search cancel

Use Email to Authenticate CASB GW for Proxy Forwarding

book

Article ID: 264683

calendar_today

Updated On:

Products

CASB Gateway Advanced CASB Gateway CASB Security Advanced CASB Security Premium CASB Security Standard

Issue/Introduction

In the default proxy-forwarding CPL, described in the tech doc Setting Up Proxy Forwarding. The default authentication method is set to the user's username "set( request.x_header.BC_Auth_User, "$(user:encode_base64)" )". 

In some cases, the username-based authentication causes issues and results in CASB Invalid User Error. The following points could cause this:

  1. The user's secondary ID is not present or synced 
  2. The user has multiple AD profiles. Since CASB only stores one secondary ID, there is a chance that CASB will receive a mismatched username and thus block the user.

In this situation, the customer should consider sending the email header to CASB to enable email-based user authentication.

Resolution

For Proxy Forwarding, the customer first needs to enable the Proxy to enable the reporting on the user's email address. For ProxySG, it is done through the Integrated Windows Authentication IWA-Direct realm configuration:

  1. SSH into the ProxySG
  2. To go to the configure terminal: #config
  3. Edit the IWA -direct : #(config) security iwa-direct eidt-realm NAME
  4. Enable Email reporting: #(config) email-address enable

Then the customer needs to add the email attribute to the CPL under the Auth_cloud forwarding section:

;=========================================
;  User Authentication Forwarding
;=========================================
;
; Upon user authentication,
; pass the username and groups to WSS.
;
<Proxy Cloud_Auth> condition=!WSS_Proxy_Bypass_List condition=CloudSOC_Domains_List
        authenticated=yes action.Auth_Cloud(yes)
; User and Group information are passed to WSS in
;  special headers added to the request.
;
define action Auth_Cloud
        set(request.x_header.x_BC_AUTH_USER_EMAIL, "$(user.email_address:encode_base64)")        
        set( request.x_header.BC_Auth_User, "$(user:encode_base64)" ) 
        set( request.x_header.BC_Auth_Groups, "$(groups:encode_base64)" )    
        set( request.header.Client-IP, "$(client.address)" )

Additional Information

Please note the letter case matters for this email attribute to be recognized by the WSS:

 

set(request.x_header.x_BC_AUTH_USER_EMAIL, "$(user.email_address:encode_base64)")

 

For WSS Agent-based traffic steering, the resolution is to enable WSS Auth Connector to send email attributes. For more info, please check the WSS tech doc Deploy the Cloud SWG Auth Connector.

Powered by Wolken Software