How to authenticate users thanks to Edge SWG forwarded XAU header. Leverage XAG header to create group based policy rules in Cloud WI

Products

Web Isolation Cloud ProxySG Software - SGOS

Issue/Introduction

Integrate Cloud WI with Edge SWG

How to authenticate users thanks to Edge SWG forwarded XAU (X-Authenticated-User) header
Leverage XAG (X-Authenticated-Group) header to create group based policy rules in Cloud WI

Resolution

Make sure that the Edge SWG(s) serial number(s) has/have been linked to the Cloud WI tenant. The backend linking is carried out by the technical support
In the SWG management go to “Administration -> Data & Cloud Services -> Isolation”
Enable Isolation setting “Destination Type: SYMC Isolation Service”
Set “Include Headers: User - Group - XFF - Appliance ID”
Set as “SSL Issuer Keyring:” the keyring used to intercept client TLS/SSL traffic
Set “Server CCL: bluecoat-isolation”, example:
Save the SGOS new settings
In the Edge VPM make sure client requests that need to be forwarded to WI are TLS/SSL intercepted thanks to the step 5 set SSL Issuer Keyring
Make sure that the same requests are matching an authentication rule, example:
If user group membership is needed in Cloud WI make sure that the proxy policies in the access layer contain a matching needed group rule, it can be a rule without any action, example:
Create a new access layer (at the bottom of the stack) with the required source and destination definitions and action “isolate”, example:
In the Cloud Web Isolation management web-console create a new SAML Identity Provider in “User Management -> SAML Identity Providers”, example:
Push settings then go to “User Management -> SAML Trusts” and create a new SAML Trust
Can set up a real working IdP or a “dummy” one (knowing that XAU info sent from the Edge SWG will be used to authenticate the users in WI there is no need to authenticate the user again with an external IdP like Azure), example of “not working” IdP:

Generic SAML

IdP Details
Entrypoint URL: https://login.microsoftonline.com/1234:
Logout URL: https://login.microsoftonline.com/1234
Signing Certificate: any “.cer” file

Claims:
Username Attributes: nameID
Username Identifier Format: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
Group Attribute: groups

Click on “Create”

Export the Cloud WI metadata (import it in the IdP if setting it up, skip it if “dummy”/not working one)

“PUSH SETTINGS”
Go to “Policies -> All Policies” and edit the “My Policy” policy
Enable authentication clicking on the “Use Authentication” checkmark. Set:

Mode: Server
Profile: SAML Authentication

Click on “Update” and “PUSH SETTINGS”
Go to “System Configuration -> Gateways”. Edit all present gateways. In the SAML Authentication session select and set the newly created SAML Trust:

Click on “Update” and “PUSH SETTINGS”
Back in the Edge SWG admin console go to “Dashboard -> Advanced URLs -> Authentication -> View Logins by User name”. Select the realm used to authenticate the clients
Test the authentication from one test machine forwarding the requests to the Edge SWG
Make sure that the test user is authenticated. If group membership is needed the requests have to match step 10 set policy rules. Check that the user group(s) is/are present in step 18 advanced URL “View Logins” “Detailed View” “Group”. Example for test user “adam” group membership:
In Cloud WI management go to “My Policy” and create/modify policy rules to match username/group membership as per business requirements.

Newly created “Identity Provider” real/dummy not working one can be selected. Edge SWG authenticated user info will be fetched from the forwarded XAU and XAG headers
Example deny/block WI rule by user “adam”:
Test outcome: client exception webpage sent from the WI gateway:
WI related activity log records:
Example “Pass” isolation WI rule by group “webisolation”:
All the webpage content (javascript included) is downloaded and executed in the client browser, example
WI activity records shows the matching “Pass” “webisolation” group Edge XAG forwarded rule: