Web Isolation cloud doesn't recognize X-Authenticated-User (XAU) headers. Activity logs show "Unauthenticated" user identity for isolated transactions. However activity logs details and proxy policy traces indicate XAU headers are being sent/received. ProxySG uses non-IWA authentication realm (eg, LDAP).

• Web Isolation cloud
• ProxySG downstream proxy appliance is in place and WI traffic forwarding is properly set on both WI and Proxy appliances
• XAU headers are set and forwarded to WI from the proxy

Web Isolation (Cloud and on-prem) supports only 2 username schemes:

• ($scheme)://($domain)/($user)
• ($domain)\($user) 

Web Isolation fails to recognize X-Authenticated-User (XAU) headers in case non-IWA authentication mechanism is used on the a proxySG downstream proxy. 

There is no officially supported way to reformat LDAP user to the supported scheme. 

Please note, this is not a documented solution. I provide it as a best effort as it is, this is not an officially supported way to forward user identity to the Web Isolation Cloud. 

First send user header option must be disabled in the ProxySG GUI:

In local CPL file the following snippet must be added and installed (order if CPL actions matters, make sure it is preserved in case of any adjustments to the CPL code below):

<Proxy>
  authenticated=yes action.XAU_Rewrite(yes)

<Proxy>
  authenticated=yes action.XAU_Add(yes)


define action XAU_Add
 set(request.x_header.X-Authenticated-User,"$(user)")
end

define action XAU_Rewrite
 rewrite(request.x_header.X-Authenticated-User,"^CN=(.+?)\,.+?DC=(.+?),.*$","$(2:concat(\):concat($(1)):encode_base64)")
end