Directory Integrations
Nullafi Shield can integrate with directory services for end user identification in policy enforcement and also to allow multiple system administrators to access the Web Management Console. Integration documentation for 3rd party directories is provided here to facilitate deployment but should not be considered authoritative. Please refer to the documentation provided by your directory service provider or software for additional information.
Validated Directories
The list below reflects well-documented user directories which Nullafi has tested in-house or on-premise and validated to work with Shield. If your directory is not listed, please consult the documentation provided by the vendor. In most cases, configuration needed to connect Shield to another directory is similar to these validated clients in the list below (SAML and LDAP are common protocols).
| Vendor | Product Name | Integration Type |
|---|---|---|
| Workspace | SAML | |
| Microsoft | Entra ID (formerly Azure AD) | SAML |
| Microsoft | Active Directory | LDAP |
| Okta | Okta Platform | SAML |
Directory Uses
Nullafi Shield can use directory data for multiple purposes, and gain access to that data via multiple methods.
Directory Data Uses
- Web Console Access: Access to the Web Management Console (see Dashboard Security) can be controlled by specific group membership in a directory. For example, you can create a "Shield Admins" group in your directory and assign membership to employees who should have access to the Web Management Console.
- End User Authentication: In many cases, the ICAP client (Secure Web Gateway or Proxy) will authenticate users before they allow traffic to pass through. If the client is not configured to authenticate users, Shield can perform that action instead. When ICAP Security is set to SAML, Shield will use the directory intagration to learn which users should be allowed to access web resources.
- User Based Policy: Shield can take the user's identity into account when enforcing data classification and redaction policies.
- Group Based Policy: In addition to the user's identity, Shield can also enforce Rules based on the user's group membership. In fact, this is probably a more useful way to target policies. Rather than list individual users in a Rule, Shield can consider groups (like "Support Team" or "Marketing Department"). In some cases, Shield obtains the user identity and group membership at the same time, and in others Shield must be configured separately to ingest user and group information.
Directory Data Integration Methods
- SAML
- LDAP
- ICAP Proxy Headers