Skip to content

Configuration >> ICAP

The ICAP Configuration section determines how the ICAP server communicates and interacts with ICAP clients (typically proxy servers).

Headers

Custom HTTP headers can be used for rule-based filtering and activity tracking. The following header fields are configurable:

  • Username Header: Specifies the header key used to pass the username for policy enforcement and tracking within Shield activity.
  • Group Header: Specifies the header key used to pass the user's group for policy and activity tracking.
  • Rule ID Header: Specifies the header key used to pass the Rule ID. If defined, this rule takes precedence and will be the only rule evaluated for that request.
  • Activity Log Data Header: Allows inclusion of custom metadata in the activity log for the request.

Enable Rule ID Filter

When enabled, if a request includes the Rule ID Header, Shield will only apply the specified rule, ignoring all others.

Proxy Configuration

This section provides tools for configuring browsers or operating systems to route traffic through the Shield proxy.

  • Download Certificate: Download the SSL certificate used by the configured proxy for encrypted connections.
  • Download PAC File: Download the Proxy Auto-Configuration (PAC) file generated by Shield according to your application definitions.
  • PAC File URL: A direct link to the hosted PAC file. Click the copy button to use this URL in your system/browser settings.

Security

Advanced authentication mechanisms for the system are defined here. Shield supports the following options:

  • No Authentication: Shield accepts requests without requiring authentication.
  • Proxy Authentication: Uses LDAP credentials configured on the Directory Integrations page.
  • SAML Authentication: Uses an Identity Provider (IdP) for federated access.

SAML Option Details

  • Session Timeout: Time period a session can remain idle before expiring.
  • Max. Session Duration: Maximum lifespan of a session before it is forcefully expired.
  • Set IdP Metadata: Upload the Identity Provider’s metadata (XML or URL) so Shield (as the Service Provider) can trust the IdP.
  • Download SP Metadata: Download Shield's metadata (XML) for uploading to your IdP.
  • Clear User Sessions: Immediately expires all current SAML-authenticated sessions.

Allowed URLs

URLs that match patterns on this list will be allowed even if the user is not authenticated. These are most commonly the URLs required for the IdP to perform the authentication flow, and so must be accessable prior to authentication.

  • Some built-in URLs are already pre-configured for SAML to function correctly.
    • Select the checkbox corresponding to your SAML IdP here. You can also click on the info bubbles to view the list of built-in regular expressions.
  • Additional entries may be added manually.
    • Configure regular expressions that define which URLs are accessible without authentication.