Security Provider Setting Fields
These fields apply to the security_provider_setting_added, security_provider_setting_changed, and security_provider_setting_removed events.
Field | Value | Explanation |
---|---|---|
cluster:mode |
failover
|
The mode in which this cluster is set to operate. |
cluster:retry:delay | integer |
The number of seconds to wait after a cluster member becomes unavailable before trying that cluster member again. |
default_group_policy:id |
string |
The unique identifier of the default group policy to apply to users who authenticate against this security provider. |
default_group_policy:name |
string |
The name of the default group policy to apply to users who authenticate against this security provider. |
kerberos:spns:list |
string |
The list of SPNs by which this provider is identified if the Kerberos SPN handling mode is set to list. |
kerberos:spns:mode |
all
|
The way SPNs are matched to this provider. All handles any SPN recognized by the keytab, while list handles only the specified list of SPNs. |
kerberos:strip_realm |
1 or 0 |
1: The REALM portion will be stripped from the User Principal Name when constructing the username and (optionally) the display name. |
kerberos:users:mode |
all
|
The way users are matched to this provider. All handles any valid authentication attempt, list handles only the specified list of users, and regex handles only users who match the specified regular expression. |
kerberos:users:regex |
string |
The Perl-compatible regular expression that user principals must match to be considered part of this provider if the Kerberos user handling mode is set to regex. |
ldap:agent |
1 or 0 |
1: A connection agent is being used to enable communication.
|
ldap:agent:password |
**** |
The readable date and time of the first date to be included in the report. |
ldap:binding:anonymous |
1 or 0 |
1: Anonymous binding is being used.
|
ldap:binding:password |
**** |
The password used for binding. |
ldap:binding:username |
string |
The username used for binding. |
ldap:cache |
1 or 0 |
1: LDAP object cache is enabled. |
ldap:cert |
<data>
|
Indicates that a certificate has been uploaded or changed. Only the value <data> will be displayed. |
ldap:display_name | string |
The set of LDAP attributes used to populate group display names. |
ldap:display_query |
string |
The LDAP query used to determine which users and groups to display when browsing via group policies. |
ldap:encryption |
none
|
The type of security encryption to use. None indicates non-encrypted LDAP, ssl indicates LDAPS, and starttls indicates LDAP with TLS. |
ldap:groups:objects |
string |
The LDAP objectClasses that are considered valid groups. |
ldap:groups:recursive |
1 or 0 |
1: Perform recursive group lookup, searching for group members of groups until no results are returned.
|
ldap:groups:search_base |
string |
The distinguishedName at which to start searching for groups. |
ldap:groups:unique_id |
string |
The set of LDAP attributes used to uniquely identify groups in the LDAP server. |
ldap:groups:user_to_group_relationship |
string |
The mapping of LDAP attributes used to determine a user's group memberships. |
ldap:host |
string |
The hostname of the LDAP server. |
ldap:port |
string |
The port through which to connect to the LDAP server. |
ldap:user_display_query | string |
The LDAP query used to define which results are displayed when adding users to a group policy. |
ldap:users:objects |
string |
The LDAP objectClasses that are considered valid users. |
ldap:users:query |
string |
The LDAP query used to map a particular username to an LDAP user object. |
ldap:users:search_base |
string |
The distinguishedName at which to start searching for users. |
ldap:users:user_id |
string |
The set of LDAP attributes used to uniquely identify users in the LDAP server. |
provider:id |
string |
The unique identifier of the provider to which this setting applies. |
provider:name |
string |
The name of the provider to which this setting applies. |
radius:host |
string |
The hostname of the RADIUS server. |
radius:port |
string |
The port through which to connect to the RADIUS server. |
radius:shared_secret |
**** |
The shared secret to use in connecting to the RADIUS server. |
radius:timeout |
integer |
The number of seconds allowed to elapse before the RADIUS server has timed out. |
radius:users:mode | all list |
The way users are matched to this provider. All handles any valid authentication attempt, and list handles only the specified list of users. |
saml:associated_domains | string | Associated SAML email domains. |
saml:email | string | The user attribute to use as the email address. |
saml:groups:list | delimited string | The list of groups associated with the identity provider. The delimiter is set in the user interface. |
saml:groups:lookup | string | The name of the attribute that contains the names of groups to which users should belong. |
saml:idp:cert | string | The identity provider's certificate. When you first create a SAML security provider, this value will be metadata. Once you have uploaded the identity provider's metadata, the value will appear in the form of provider_cert.<provider_id>.server_cert.cert. |
saml:idp:entity_id | string |
The unique identifier for the identity provider you are using. |
saml:idp:login_url | string | The URL where you are automatically redirected to sign into BeyondTrust using SAML. |
saml:idp:request_bind | string | Either urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect or urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST. |
saml:name_id_format | string | Will always be urn:oasis:names:tc:SAML:2.0:nameid-format:persistent. |
saml:sp:entity_id | string | The URL of your public site. This uniquely identifies the service provider. |
saml:user_name | string | The user attribute to use as the username. |
users:list | string | The list of users allowed to authenticate against this provider to access your BeyondTrust software. |
sync_display_name |
1 or 0 |
1: Every time a user logs in, their display name should be synchronized with the available remote information.
|
scim:email | string | The user attribute to use as the email address. |
scim:user_name | string | The user attribute to use as the username. |
scim:private_display_name | string | The user attribute to use as the private display name. |
scim:public_display_name | string | The user attribute to use as the public display name. |
scim:vendor | string | The SCIM system being used for privileged identity management, such as SailPoint. |
scim:users:query_id | id | The {id} element used for simple GET queries for users. |
scim:group:query_id | id | The {id} element used for simple GET queries for groups. |
scim:users:id_case_insensitive |
Enabled Disabled |
The attribute indicating whether the case is sensitive or insensitive. The value is Disabled by default. |
scim:users:user_id | string | The set of SCIM attributes used to uniquely identify users. |
scim:users:provision | boolean | Boolean denoting if the provisioning of a user is enforced. |
vendor:duration | integer | The frequency with which notifications will be sent to the PRA User. The unit is in hours, with a minimum of 1 hour and a maximum of 168 hours (1 week). |
vendor:duration_enabled | 1 or 0 |
1: An email is sent to the PRA User if there are users in the "Users Awaiting Action" table. 0:No emails are sent if there are users in the "Users Awaiting Action" table. |
vendor:last_notified | string | The last date and time a "Users Awaiting Action" email was sent to the PRA User. |