2 Replies Latest reply on May 24, 2017 4:32 AM by rajjesh

    Cached User Credentials in ADFS authentication


      Dear Team,


      We are using McAfee cloud ePO for protection which is ultimately being synchronized with our internal McAfee web gateway. We have configured the ADF authentication method on the cloud ePO. On the McAfee webgateway and the cloud ePO we see that the synchronization is successful as the config file name matches.


      However we see that the policies not worked as configured.


      For example we have certain group based filtering policies and at the bottom we explicit deny rule. Now for the same user, when connected inside the corporate network works fine, however when on open internet it flows down to the explicit deny rule.


      Also we have modified the block page to understand what groups the request carries in, however even after multiple successful syncronizations, the block page does not reflect the changes.

        • 1. Re: Cached User Credentials in ADFS authentication

          You might want to do some rule tracing and specifically look at the group list retrieved for the request.  This is at least important for Active Directory because the LDAP query only retrieves security groups, and if some domain admin changes a key group at some level in the group hierarchy to some other type, the group you're testing for won't be there.  This has, in fact, happened, and it only became apparent after doing a rule trace and specifically examining the retrieved group list.

          • 2. Re: Cached User Credentials in ADFS authentication

            The issue is when the system is connected on open internet and not corporate. So the traffic is not going through the on premise McAfee web gateway but on the cloud. So I have no clue where could we run the rule trace in case of cloud??