Security Provider Setting Fields

These fields apply to the security_provider_setting_added, security_provider_setting_changed, and security_provider_setting_removed events.

Field Value Explanation

cluster:mode

failover
random

The mode in which this cluster is set to operate.

cluster:retry:delay integer

The number of seconds to wait after a cluster member becomes unavailable before trying that cluster member again.

default_group_policy:id

string

The unique identifier of the default group policy to apply to users who authenticate against this security provider.

default_group_policy:name

string

The name of the default group policy to apply to users who authenticate against this security provider.

kerberos:spns:list

string

The list of SPNs by which this provider is identified if the Kerberos SPN handling mode is set to list.

kerberos:spns:mode

all
list

The way SPNs are matched to this provider. All handles any SPN recognized by the keytab, while list handles only the specified list of SPNs.

kerberos:strip_realm

1 or 0

1: The REALM portion will be stripped from the User Principal Name when constructing the username and (optionally) the display name.
0: The REALM portion will not be stripped from the User Principal Name.

kerberos:users:mode

all
list
regex

The way users are matched to this provider. All handles any valid authentication attempt, list handles only the specified list of users, and regex handles only users who match the specified regular expression.

kerberos:users:regex

string

The Perl-compatible regular expression that user principals must match to be considered part of this provider if the Kerberos user handling mode is set to regex.

ldap:agent

1 or 0

1: A connection agent is being used to enable communication.
0: The LDAP server and the B Series Appliance communicate directly.

ldap:agent:password

****

The readable date and time of the first date to be included in the report.

ldap:binding:anonymous

1 or 0

1: Anonymous binding is being used.
0: A bind username and password are required.

ldap:binding:password

****

The password used for binding.

ldap:binding:username

string

The username used for binding.

ldap:cache

1 or 0

1: LDAP object cache is enabled.
0: LDAP object cache is disabled.

ldap:cert

<data>
or blank

Indicates that a certificate has been uploaded or changed. Only the value <data> will be displayed.

ldap:display_name string

The set of LDAP attributes used to populate group display names.

ldap:display_query

string

The LDAP query used to determine which users and groups to display when browsing via group policies.

ldap:encryption

none
ssl
starttls

The type of security encryption to use. None indicates non-encrypted LDAP, ssl indicates LDAPS, and starttls indicates LDAP with TLS.

ldap:groups:objects

string

The LDAP objectClasses that are considered valid groups.

ldap:groups:recursive

1 or 0

1: Perform recursive group lookup, searching for group members of groups until no results are returned.
0: Execute only one group lookup query.

ldap:groups:search_base

string

The distinguishedName at which to start searching for groups.

ldap:groups:unique_id

string

The set of LDAP attributes used to uniquely identify groups in the LDAP server.

ldap:groups:user_to_group_relationship

string

The mapping of LDAP attributes used to determine a user's group memberships.

ldap:host

string

The hostname of the LDAP server.

ldap:port

string

The port through which to connect to the LDAP server.

ldap:user_display_query string

The LDAP query used to define which results are displayed when adding users to a group policy.

ldap:users:objects

string

The LDAP objectClasses that are considered valid users.

ldap:users:query

string

The LDAP query used to map a particular username to an LDAP user object.

ldap:users:search_base

string

The distinguishedName at which to start searching for users.

ldap:users:user_id

string

The set of LDAP attributes used to uniquely identify users in the LDAP server.

provider:id

string

The unique identifier of the provider to which this setting applies.

provider:name

string

The name of the provider to which this setting applies.

radius:host

string

The hostname of the RADIUS server.

radius:port

string

The port through which to connect to the RADIUS server.

radius:shared_secret

****

The shared secret to use in connecting to the RADIUS server.

radius:timeout

integer

The number of seconds allowed to elapse before the RADIUS server has timed out.

radius:users:mode all
list

The way users are matched to this provider. All handles any valid authentication attempt, and list handles only the specified list of users.

saml:associated_domains string Associated SAML email domains.
saml:email string The user attribute to use as the email address.
saml:groups:list delimited string The list of groups associated with the identity provider. The delimiter is set in the user interface.
saml:groups:lookup string The name of the attribute that contains the names of groups to which users should belong.
saml:idp:cert string The identity provider's certificate. When you first create a SAML security provider, this value will be metadata. Once you have uploaded the identity provider's metadata, the value will appear in the form of provider_cert.<provider_id>.server_cert.cert.
saml:idp:entity_id string

The unique identifier for the identity provider you are using.

saml:idp:login_url string The URL where you are automatically redirected to sign into BeyondTrust using SAML.
saml:idp:request_bind string Either urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect or urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST.
saml:name_id_format string Will always be urn:oasis:names:tc:SAML:2.0:nameid-format:persistent.
saml:sp:entity_id string The URL of your public site. This uniquely identifies the service provider.
saml:user_name string The user attribute to use as the username.
users:list string The list of users allowed to authenticate against this provider to access your BeyondTrust software.

sync_display_name

1 or 0

1: Every time a user logs in, their display name should be synchronized with the available remote information.
0: A user's display name should be synchronized with the available remote information only the first time the user logs in.

scim:email string The user attribute to use as the email address.
scim:user_name string The user attribute to use as the username.
scim:private_display_name string The user attribute to use as the private display name.
scim:public_display_name string The user attribute to use as the public display name.
scim:vendor string The SCIM system being used for privileged identity management, such as SailPoint.
scim:users:query_id id The {id} element used for simple GET queries for users.
scim:group:query_id id The {id} element used for simple GET queries for groups.
scim:users:id_case_insensitive

Enabled

Disabled

The attribute indicating whether the case is sensitive or insensitive. The value is Disabled by default.
scim:users:user_id string The set of SCIM attributes used to uniquely identify users.
scim:users:provision boolean Boolean denoting if the provisioning of a user is enforced.
vendor:duration integer The frequency with which notifications will be sent to the PRA User. The unit is in hours, with a minimum of 1 hour and a maximum of 168 hours (1 week).
vendor:duration_enabled 1 or 0

1: An email is sent to the PRA User if there are users in the "Users Awaiting Action" table.

0:No emails are sent if there are users in the "Users Awaiting Action" table.

vendor:last_notified string The last date and time a "Users Awaiting Action" email was sent to the PRA User.