Skip to content

Configuration >> ICAP

Admin Console Configuration

The Configuration section of the Admin Console is for controlling the application settings of Nullafi Shield. These affect the behavior of Shield itself, not the traffic flowing through it (see Policy for traffic behavior settings).


The ICAP Configuration section controls how the ICAP server interacts with the ICAP client (usually a proxy).


Headers are configurable custom HTTP Headers to be used by the ICAP as filters for rules with user, groups or the actual rule id as filters specified, you can also send some metadata on the activity header. See the details bellow:

  • Username Header : Configure the custom header name to track that username on the activity.
  • Group Header : Configure the custom header name to track that group name on the activity.
  • Rule ID Header : Configure the custom header name to send a rule ID that will be the only rule applied to that specific request.

  • Activity Log Data Header : Configure the custom header name to send some metadata to be store on the activity of that request.

Enable Rule Id Filter

When enabled, if the request has the Rule Id Header defined, the specified rule is applied ignoring all other rules.

Proxy Configuration

The Proxy Configuration has all the assets you need to configure your OS or Browser to send requests to our proxy. See the details bellow:

  • Download Certificate : Clicking this button will download the certificate that our proxy uses to sign the requests and secure the connection.
  • Download PAC File : Clicking this button will download our PAC file that will be configured based on your Applications Configuration.

  • PAC File URL : From this field you can click the copy button to copy our PAC file url and setup the PAC configuration based on a URL instead of the file option above.


Security as a more advanced authentication mechanism than the Custom Username/Group Headers of the Headers Section, there are three options supported:

  • No Authentication : No authentication mechanism will be requested when using our proxy.
  • Proxy : Proxy Authentication will use the LDAP setup configured on the Directory Integrations page to authenticate to our proxy.
  • SAML : SAML option will work as any SAML workflow where you'll need to configure a Identity Provider (IDp) of your choice to be used as an authentication gateway to our proxy. See the details bellow:

    • Session Timeout : Configure how long this session can be idle (don't receive any requests) until it expires.

    • Max. Session Duration : Configure how long this session will be persisted until it expires.

    • Set IDp Metadata : You can get this IDp Metadata either as a Url or as a XML, this is required for the SAML so our proxy as a Service Provider can trust this IDp server.

    • Download SP Metadata : Clicking this button will download our Service Provider metadata xml file that needs to be uploaded into your IDp server configuration so that we can be added as a trusted Service Provider.

    • Clear User Sessions : Clicking this button will expire all active sessions using our proxy and require them to re-authenticate.

    • Allowed URLs : Access for URLs that match patterns on this list will be allowed even if the user is not authenticated, we already offer some built-in urls that are required to be allowed for the SAML workflow to work properly, but you can add any additional url you need using regular expression sintax.

    • You can also see a table with the current SAML sessions to check the Username, Client IP, User Agent and Groups information. From there your can hover the row and click the options button to delete a specific active session of your choice.