On the WSA, under Network/Authentication, you can add an LDAP Realm if you want users to authenticate to the WSA using basic auth. In a Windows based network, you'd usually join the WSA to the domain, and create an Active directory realm that uses Kerberos and/or NTLMSSP along with ISE/ISE-PIC to get transparent auth. We also set up an LDAP realm for external authentication, and reference that in System Administration/Users, so that admins of the WSA can use their AD creds, not the local accounts. We don't set the user/group queries, as we're relying on ISE-PIC for that.
On the SMA, we set up an LDAP realm as well, also to be used for external authentication of admins. Since we also use the SMA for our ESA, we do enable the Spam Quarantine queries.
Since it sounds like you're using LDAP and basic auth to for your users to auth to the WSA and you'll be pushing configs from the SMA, the Realms have to have the same name. You're not pushing the actual LDAP config (user hitting the LDAP server, which LDAP serves) from the SMA to the WSA, just the config of the Identity Profile... so that has to lineup/work on the WSA.