Security & SSO Schema
Schemas
SecurityQuestion
| Property | Type | Description |
|---|
id | integer | Question ID |
name | string | Question text |
enabled | boolean | Whether the question is active |
answer | string | Answer to the question |
_warning | string | Warning message if applicable |
NPR_Result
Used for security question validation submissions.
| Property | Type | Description |
|---|
windows_user | string | Windows username |
email_address | string | User email address |
activedirectory_dn | string | Azure AD distinguished name |
onpremise_activedirectory_dn | string | On-premises AD distinguished name |
enrolled | boolean | Whether user is enrolled in security questions |
questions | array of SecurityQuestion | The user's security questions |
hide_answers | boolean | Whether answers are hidden |
validated | boolean | Whether validation passed |
AuditPasswordField
| Property | Type | Description |
|---|
object_type | integer | Type of object the password field is attached to |
object_id | integer | ID of the associated object |
field_id | integer | Password field ID |
value | string | Field value |
object | PasswordObjectType | Reference to the password object type |
_warning | string | Warning message if applicable |
Audit
| Property | Type | Description |
|---|
id | integer | Audit record ID |
ticket_id | integer | Associated ticket ID |
agent_id | integer | Agent who performed the action |
user_id | integer | User who performed the action |
username | string | Username of actor |
date | datetime | Timestamp of the audited action |
datetime_from | datetime | Start of the changed value's time range |
datetime_to | datetime | End of the changed value's time range |
value | string | Description of the change |
from | string | Previous value |
to | string | New value |
table_name | string | Database table affected |
id1 | integer | Primary record ID |
id2 | integer | Secondary record ID |
clientid | integer | Associated client ID |
actoutcome | string | Outcome of the audited action |
guid | uuid | Unique identifier |
_redact | boolean | Whether the record should be redacted |
_warning | string | Warning message if applicable |
SecureSecretLink
| Property | Type | Description |
|---|
id | integer | Link ID |
ticket_id | integer | Associated ticket |
user_id | integer | Owning user |
viewed | boolean | Whether the link has been accessed |
date_viewed | datetime | When the link was accessed |
new_secure_secret_value | string | The secret value to share |
new_secure_passphrase | string | Optional passphrase to protect the link |
password_link_expiration | integer | Expiration time (in hours or days) |
expiry_date | datetime | Computed expiry timestamp |
attempts | integer | Number of access attempts |
generated_secure_link | string | The generated shareable URL |
_isvalidate | boolean | Whether this is a validation request |
ImpersonationRequest
| Property | Type | Description |
|---|
irid | integer | Impersonation request ID |
requestor | integer | Agent ID of the requestor |
agent | integer | Target agent ID |
user | integer | Target user ID |
timestamp | datetime | When the request was created |
enc_id | integer | Encrypted identifier |
token_used | boolean | Whether the impersonation token has been used |
used_timestamp | datetime | When the token was used |
jwt | string | JWT token for impersonation |
_warning | string | Warning message if applicable |
KeyVault
| Property | Type | Description |
|---|
id | integer | Vault entry ID |
name | string | Display name |
url | string | Azure Key Vault URL |
connection_type | integer | Authentication type (e.g., managed identity) |
managed_identity_id | string | Managed identity client ID |
_warning | string | Warning message if applicable |
SingleSignOnApplication
Represents an OIDC/SAML SSO application configuration.
| Property | Type | Description |
|---|
id | integer | Application ID |
guid | uuid | Unique identifier |
name | string | Application display name |
instance_id | integer | Associated HaloPSA instance |
type | integer | SSO protocol type |
type_description | string | Human-readable type label |
oidc_url | string | OIDC discovery or authority URL |
client_id | string | OAuth2 client ID |
oidc_type | integer | OIDC subtype |
new_client_secret | string | New client secret (write-only) |
active | boolean | Whether the application is enabled |
allowed_entities | integer | Who can authenticate (agents, users, both) |
auto_redirect_agent | boolean | Auto-redirect agents to this SSO provider |
auto_redirect_user | boolean | Auto-redirect users to this SSO provider |
single_logout | boolean | Enable single logout |
prompt | string | OIDC prompt parameter |
id_attribute | integer | Field used as the identifier attribute |
custom_id_attribute | string | Custom identifier attribute name |
user_matching_field | integer | HaloPSA field to match against the SSO identity |
allow_user_provisoning | boolean | Auto-provision users on first SSO login |
domain_matching | boolean | Match users by email domain |
default_site | integer | Default site for provisioned users |
button_label | string | Login button label |
button_colour | string | Login button color |
button_logo | string | Login button logo |
domain_hint | string | Domain hint passed to the identity provider |
app_type | integer | Application category |
allowed_tenants | string | Comma-separated allowed tenant IDs |
extra_claim_validation | array | Additional claims to validate on login |
log_attempts | boolean | Log all SSO attempts |
scope | string | OAuth2 scopes requested |
AzureADConnection
Represents an Azure AD / Microsoft Entra integration connection. Used for SSO, user sync, Intune device sync, and Microsoft Sentinel integration.
Core Identity:
| Property | Type | Description |
|---|
id | integer | Connection ID |
guid | uuid | Unique identifier |
name | string | Connection display name |
domain | string | Primary domain |
directoryid | string | Azure AD tenant (directory) ID |
applicationid | string | Azure AD application (client) ID |
type | integer | Connection type |
authorized | boolean | Whether OAuth authorization is complete |
redirect_uri | string | OAuth redirect URI |
token_expiry | datetime | Access token expiry |
authority | integer | Authority/cloud type (e.g., commercial, GCC) |
authentication_type | integer | Authentication method (client secret, certificate, managed identity, ROPC) |
credential_type | integer | Credential type for authentication |
Sync & Import Settings:
| Property | Type | Description |
|---|
halointegratorenabled | boolean | Whether HaloIntegrator sync is active |
halointegrator_lastsync | datetime | Last successful sync timestamp |
halointegrator_lasterror | string | Last sync error message |
createunmatchedusers | boolean | Create new users for unmatched Azure AD accounts |
deactivate_users | boolean | Deactivate users removed in Azure AD |
deactivate_agents | boolean | Deactivate agents removed in Azure AD |
auto_create_mappings | boolean | Automatically create site/client mappings |
auto_allow_sso | boolean | Auto-enable SSO for synced users |
use_delta_queries | boolean | Use delta query API for incremental sync |
dont_sync_new_tenants | boolean | Skip auto-syncing newly discovered tenants |
Intune Settings:
| Property | Type | Description |
|---|
intune_enabled | boolean | Enable Intune device import |
intune_dont_update_type | boolean | Do not update asset type on re-import |
intune_unlink_users | boolean | Unlink users from Intune devices |
intuneusermatchingfield | integer | Field used to match Intune users |
default_intune_status | integer | Default status for imported Intune devices |
intune_inactive_status | integer | Status for inactive Intune devices |
intune_inactive_days_past_lastsyncdate | integer | Days past last sync before marking inactive |
intune_recovered_status | integer | Status to set when inactive device reconnects |
intune_delete_status | integer | Status to set for deleted Intune devices |
Field Mappings:
| Property | Type | Description |
|---|
mappings_user | array | Field mappings for user sync |
mappings_agent | array | Field mappings for agent sync |
mappings_agent_roles | array | Role mappings for agents |
mappings_user_roles | array | Role mappings for users |
mappings_site | array (AzureADMapping) | Azure AD group to HaloPSA site mappings |
mappings_client | array (AreaAzureTenant) | Azure AD tenant to HaloPSA client mappings |
mappings_device | array | Field mappings for device sync |
mappings_ticket | array | Field mappings for Sentinel ticket import |
mappings_priority | array | Priority mappings |
LDAPConnection
Represents an LDAP/Active Directory connection for on-premises directory sync.
| Property | Type | Description |
|---|
id | integer | Connection ID |
guid | uuid | Unique identifier |
name | string | Connection display name |
hostname | string | LDAP server hostname or IP |
domainname | string | Active Directory domain name |
port | string | LDAP port (default 389 or 636 for LDAPS) |
use_ssl | boolean | Use LDAPS (SSL/TLS) |
connection_type | string | Connection type identifier |
authentication_type | string | Authentication method |
username | string | Service account username |
integrator_password | string | Service account password (write-only) |
basedn | string | Base distinguished name for searches |
synccontacts | boolean | Sync contacts in addition to users |
external | boolean | External LDAP server |
pagesize | integer | Results page size for large directories |
useadauthentication | integer | AD authentication method |
halointegratorenabled | boolean | Enable HaloIntegrator sync |
halointegrator_lastsync | datetime | Last successful sync timestamp |
halointegrator_lasterror | string | Last sync error message |
allow_access | boolean | Allow directory access |
mappings_user | array (LDAPName) | Field mappings for users |
mappings_agent | array (LDAPName) | Field mappings for agents |
ldap_strings | array (LDAPString) | LDAP filter strings |
integrator_type | integer | Integrator sync type |
