Download - Unison 1.0 - Tremolo Security Inc. · PDF fileWhat is Unison? Tremolo Security’s Unison is a unified cloud identity system for web applications. Unison provides the ... as headers.

Unison 1.0.6

Application Integration Guide

Unison 1.0.6: Application Integration GuideCopyright © 2012 - 2015 Tremolo Security Inc.

iii

Table of Contents1. Introduction .................................................................................................................... 1

What is Unison? ......................................................................................................... 1How Does Unison Integrate with Applications? ................................................................ 4What Do You Need to Get Started? ............................................................................... 4

2. Last Mile Integration ........................................................................................................ 5Introduction ................................................................................................................ 5Java and J2EE ............................................................................................................ 6

Who Am I? ........................................................................................................ 6Generic J2EE Servlet Filter ................................................................................... 7Apache Tomcat Valve .......................................................................................... 9JBoss Application Server 7.1 ............................................................................... 10Oracle Weblogic ............................................................................................... 12

Microsoft IIS ............................................................................................................ 13Who Am I? ...................................................................................................... 13ASP.NET IHttpModule ....................................................................................... 14

Apache .................................................................................................................... 15Who Am I? ...................................................................................................... 15mod_auth_tremolo ............................................................................................. 15

IdP Initiated SAML2 .................................................................................................. 16Who Am I? ...................................................................................................... 16Generic Headers ................................................................................................ 16

3. LDAP Virtual Directory .................................................................................................. 17Introduction .............................................................................................................. 17Schema Normalization ................................................................................................ 17Data Organization ...................................................................................................... 18Interacting with Unison's Virtual Directory .................................................................... 18

How to Authenticate Users ................................................................................. 18How to Retrieve User Data ................................................................................. 18Connection Management ..................................................................................... 18

4. Provisioning API ........................................................................................................... 20Introduction .............................................................................................................. 20How the API Works .................................................................................................. 20

Reliability and Asynchronous Execution ................................................................ 20Operations ................................................................................................................ 20

Login ............................................................................................................... 20User Lookup ..................................................................................................... 21Execute Workflow ............................................................................................. 22Executed Workflows .......................................................................................... 23Execute Approval .............................................................................................. 23List Approvals .................................................................................................. 24List Organizations ............................................................................................. 26List Workflows ................................................................................................. 27List Portal URLs ............................................................................................... 27

1

Chapter 1. Introduction

What is Unison?Tremolo Security’s Unison is a unified cloud identity system for web applications. Unison provides theidentity functions most commonly needed by applications including:

• Authentication

• Federation

• PIV Cards / SSL

• Username and Password

• Virtual Directory

• Authorization

• Just-in-Time Provisioning

• Application Integration

• User Provisioning Web Services

Unison sits as a reverse proxy between your application and your users:

Introduction

2

When your application uses Unison users will interact with your application by putting in a url, such ashttps://www.mycompany.com/application which will take them to Unison. Unison will

1. Authenticate them using its internal LDAP virtual directory

2. Authorize them to use the application

3. Provides mechanisms to be able to add headers and transform the request

4. Forward the request to the application

5. Provide LDAP virtual directory services to the application

6. Process the application’s response

7. Provides mechanisms to be able to add headers, cookies or transform the response

8. Forward the response back to the user

Introduction

3

Unison provides a wide variety of functions as a reverse proxy to applications. Applications can leverageUnison as an LDAP virtual directory without using the reverse proxy as in the below diagram:

In the above scenario Unison is an LDAP virtual directory that provides identity data to an applicationusing the LDAP standard. This integration method provides a simple integration method for applicationsthat need to authenticate users using a username and password. In this method the sequence of events is:

1. User accesses the application

2. The application prompts the user for a username and password

3. The application uses an LDAP library to search for the user using Unison

Introduction

4

4. Unison return’s the user’s Distinguished Name

5. The application uses an LDAP library to perform an LDAP Bind to authenticate the user

Using Unison as an LDAP virtual directory can provide a good first integration step. Note that this methoddoes not provide many of the functionality that Unison offers for applications including:

• Federation

• PIV / SSL Authentication

• Common Access Controls

How Does Unison Integrate with Applications?Unison provides three primary integration methods:

1. Secure Last Mile

2. Standard Headers

3. LDAP

4. Provisioning Web Services API

The tightest integration system is Unison’s Secure Last Mile which provides the application identitydata in locked down process that minimizes the amount of integration into the application. AdditionallyUnison can add standard headers to HTTP requests. In addition an application can use standard LDAPcalls to Unison to retrieve user data and perform authentication. Finally, Unison offers a RESTful APIfor retrieving user data and triggering workflows. This API can be used in place of the LDAP VirtualDirectory for situations where a web service is more appropriate than an LDAP connection or where userdata needs to be updated in a controlled way.

This guide details precisely how to integrate your application with Unison using any of these methods.

What Do You Need to Get Started?Every application has different requirements for integration. When beginning an integration some itemsto have are:

1. Application documentation

2. Authentication requirements

3. Identity Data Specs

In addition to identifying how the application will integrate, you will need to work with your Unisonadministrator to configure Unison and determine how to use the LDAP virtual directory.

5

Chapter 2. Last Mile Integration

IntroductionUnison’s Secure Last Mile is a specialized system that Unison uses to integrate backend applications.The Secure Last Mile system utilizes an encrypted header to secure pass the current user’s context to theapplication.

All of the secure last mile systems details below provide identity data in the following ways:

Last Mile Integration

6

1. User Context – Every web and application server has a custom method for setting the user’s context.For instance in J2EE the context is retrieved using the getUserPrincipal() method. Unison’s Secure LastMile can create this context.

2. Secure Headers – Many web applications want identity information as a simple HTTP Header in therequest. While this method is simple, its insecure as anyone with the correct access can now spoofuser information without having credentials to authenticate themselves. Unison solves this problem byproviding web applications headers that can be securely relied upon.

3. Role Information – Many web and application servers have the concepts of “roles” to describe how auser has access without having to do a directory lookup. Unison’s Secure Last Mile can provide thisinformation without an extra lookup.

The below sections detail how to use these modules to integrate with your application. See the UnisonInstallation Guide for instructions on how to install the Secure Last Mile layer for specific systems andthe Unison “Cook Book” for specific applications that have been verified to work with Unison.

Java and J2EEWho Am I?

Java and J2EE provides a basic framework for retrieving identity data for a given user. The Java SecureLast Mile system can:

1. Provide a user principal object

2. Provide role information to satisfy the isUserInRole() method

3. Provide secure headers for attribute information

Unison can provide identity data to a Java application in several ways. Since each application is different,its important to have several options. This section shows, at a code level, how to get the user's identity usingJ2EE standards. Note that there are several frameworks for web application development on Java, manywith their own ways of getting identity information. You should review your application's and framework'sdocumentation for how to extract a user's identity. Also check out the Tremolo Security Wiki for updateson specific applications and frameworks.

Depending on the J2EE container you can often mix-and-match authentication and data retrieval methods.For instance in RedHat’s JBoss you can configure authentication to use Unison’s Last Mile, but retrievedata using Unison’s integrated LDAP virtual directory. This offers the best of both worlds, as yourapplication can externalize authentication but still utilize the application's integrated authorization systemwith virtual data. Check your application server’s documentation and the Tremolo Security Wiki for detailson how to perform these types of integrations.

User Principal

Unison supports container managed securtiy by providing the UserPrincipal object that contains the user’sid.

UserPrincipal userPrincipal = request.getUserPrincipal();String userID = userPrincipal.getName();

User Role Check

If an application uses container managed security for checking a user's role, Unison can map an attributeto a list of roles and make it available to the application:


7

if (request.isInUserRole(“MyRole”)) { //Perform an actions}

Secure Header

Many application expect to retrieve the user's identifier (and other attributes) as headers. Unison's LastMile can create these headers without them being transmitted in clear text.

//retrieve the userid from a secure headerString userID = request.getHeader(“USER_ID”);

Generic J2EE Servlet Filter

For applications that do not wish to configure container managed security in their application server butwant to still use container managed security objects Unison offers a J2EE filter that will wrap the requestobject overloading the getUserPrincipal(), getRemoteUser() and isUserInRole() methods. It can also createSecure Headers from the Last Mile token.

Unison has filters for both the servlet 2.5 api and the 3.x api. Make sure to choose the api version that isappropriate to your servlet container.

When configuring this filter use the following steps:

1. Ensure that your application server is deployed with unlimited key size for encryption

2. Download the correct Last Mile binaries for your Java version

3. Configure the LastMile Security filter in Unison on your application, place them in the WEB-INF/libdirectory of your web application

4. Download the key store from the LastMile Security filter in Unison

5. Add the filter configuration from the LastMile security filter in Unison to your WEB-INF/web.xml file

6. Add the filter mapping configuration from the LastMile Security filter in Unison to your WEB-INF/web.xml file BEFORE any other filter or servlet mappings

7. Deploy your application

While Unison will generate the correct configuration for based on the choices made in the LastMileSecurity filter configuration, the below table maps out each parameter:

Option Description Example

debug If set to true, will output additionallog messages

true/false

headerName Name of the Last Mile headerinjected by Unison

tremoloHeader

roleAttribute The attribute from the Last Mileheader used to identify roles forthe isUserInRole() method

roles


8


createHeaders If set to yes the filter willmake the attributes configuredon the LastMile Security filteravailable as HTTP headers fromrequest.getHeader()

yes/no

userAttribute The name of the attribute from theLast Mile header to use to identifythe user in the getUserPrincipal()and getRemoteUser() methods

uid or mail

keyStore The name of the key store relativeto the web application's root

WEB-INF/lastmile.jks

keyPass The password for unlocking thekeystore

encKeyAlias The name of the key fordecrypting the Last Mile headerfrom the keystore

ignoreURI A URI (not relative to theapplication, but relative to "/") toNOT run verification for. Thisis useful in situations such asweb services that will not gothrough a Unison proxy andare authenticated using anothermechanism.

/services

postValidateClassName Implementation of theCustomLastMile interface (seethe SDK) that can be run AFTERthe Last Mile filter has validatedthe request

verifyOnly If set to true the Unison Last Milefilter will only verify the request,but not wrap the request object.This is useful in situations wherethe application server's security isused for authentication and settingthe user's context but the Last Milefilter will still be used to verifyindividual requests.

false

Finally, in addition to the standard J2EE apis Unison does provide additional objects not available in theJ2EE specs. These objects are proprietary to Tremolo Security and will not exist in other platforms:

Attribute Location Name Description

request tremolosecurity.loginlevel The numeric value of theauthentication level associatedwith the chain used to authenticatethe user

request tremolosecurity.authchain The name of the authenticationchain used to authenticate the user


9

Apache Tomcat ValveFor Apache Tomcat 6 and 7 Unison can populate the getUserPrincipal(), getRemoteUser() andisUserInRole() methods using a Valve rather then the generic servlet filter. This offers an advantage ofbeing configured outside of your application's web.xml file. It can also create Secure Headers from theLast Mile token. NOTE: The valve will execute on every request so there's no reason to combine this withthe generic J2EE filter.

When configuring the valve use the following steps:

1. Ensure that Tomcat is deployed with unlimited key size for encryption


3. Place the binaries in the lib directory of your Tomcat server

4. Configure the LastMile Security filter in Unison on your application

5. Download the key store from the LastMile Security filter in Unison, add it to the WEB-INF folder ofyour application

6. Add the filter configuration from the LastMile security filter in Unison to your META-INF/context.xmlfile

7. Deploy your application

NOTE: If you change your context.xml it will not be automaticly refreshed by Tomcat, you need to deletethe old one from the conf directory.



debug If set to true, will output additionallog messages

true/false


tremoloHeader


roles

createHeaders If set to true the valve willmake the attributes configuredon the LastMile Security filteravailable as HTTP headers fromrequest.getHeader()

true/false


uid or mail

pathToKeyStore The name of the key store relativeto the web application's root

WEB-INF/lastmile.jks



10


encryptionKeyName The name of the key fordecrypting the Last Mile headerfrom the keystore

ignoreURI A URI (not relative to theapplication, but relative to "/") toNOT run verification for. Thisis useful in situations such asweb services that will not gothrough a Unison proxy andare authenticated using anothermechanism.

/services

postValidateClassName Implementation of theCustomLastMile interface (seethe SDK) that can be run AFTERthe Last Mile valve has validatedthe request





JBoss Application Server 7.1For JBoss 7.1 and up (including JBoss EAP 6.x and up) Unison can populate the getUserPrincipal(),getRemoteUser() and isUserInRole() methods using a Valve and Login Module rather then the genericservlet filter. This offers an advantage of being configured outside of your application's web.xml file. Itcan also create Secure Headers from the Last Mile token. NOTE: The valve will execute on every requestso there's no reason to combine this with the generic J2EE filter.

When configuring the login module and valve use the following steps:

1. Ensure that JBoss is deployed with unlimited key size for encryption


3. Copy the module into the JBoss modules directory

4. OPTIONAL : If using a post-validation class then the class' jar files should be added to the Unison LastMile module or added as a dependency

5. Either make the module a global module or add it as a dependency onto your web application

6. Add the unisonsecuritydomain from the config directory of the Last Mile binaries to JBoss' security-domains section


11

7. Configure the LastMile Security filter in Unison on your application

8. Download the key store from the LastMile Security filter in Unison, add it some place that JBoss hasaccess to

9. Add the configuration from the LastMile security filter in Unison to your WEB-INF/jboss-web.xml file

10.Deploy your application




tremoloHeader


roles

createHeaders If set to true the valve willmake the attributes configuredon the LastMile Security filteravailable as HTTP headers fromrequest.getHeader()

true/false


uid or mail

pathToKeyStore The name of the key store relativeto the web application's root

/path/to/lastmile.jks


encryptionKeyName The name of the key fordecrypting the Last Mile headerfrom the keystore

postValidateClassName Implementation of theCustomLastMile interface (seethe SDK) that can be run AFTERthe Last Mile valve has validatedthe request






12

Oracle WeblogicOracle Weblogic supports Identity Asserters which may be used to set an application's identity inside ofWeblogic (as opposed to just in the application). This is useful in situations where an application is relyingon web services, queues and other container managed services. Finally, when using Fusion Middlewarestack this identity asserter will provide the proper information.

NOTE: When configuring the Identity Asserter Last Mile will ONLY run when authenticating a user.If Unison is being used for authorizations it is recommended that the LastMile J2EE Filter be deployedverifyOnly=yes to continue to enforce authorizations.

When configuring the Identity Asserter use the following steps:

1. Ensure that Weblogic is deployed with unlimited key size for encryption

2. Download the correct Identity Asserter for your version of WebLogic

3. Place trmeoloIdentityAsserter.jar in $WEBLOGIC_HOME/wlserver_10.3/server/lib/mbeantypes

4. Place the additional jar files in $WEBLOGIC_HOME/wlserver_10.3/server/lib

5. Configure the LastMile Security filter in Unison on your application, ensure that the header name is"tremoloHeader"

6. Download the key store from the LastMile Security filter in Unison, place it in a location that isaccessible by Weblogic

7. Restart the Weblogic administration server

8. From inside of the Weblogic administation server, add a TremoloIdentityAsserter provider and set itto the top of the list

9. Configure based on the below table

Weblogic Identity Asserter Configuration Parameters:


Debug If set to true, will output additionallog messages

true/false

UserAttribute The name of the attribute from theLast Mile header to use to identifythe user in the getUserPrincipal()and getRemoteUser() methods

uid or mail

KeyStorePath The full path to the Java keystoregenerated by Unison

/home/oracle/lastmile.jks

KeystorePass The password for unlocking thekeystore

KeyAlias The name of the key fordecrypting the Last Mile headerfrom the keystore

PostValidationClass Implementation of theCustomLastMile interface (seethe SDK) that can be run AFTER


13


the Last Mile valve has validatedthe request

Microsoft IISIIS is supported for ASP.NET 4.x and up, as well as legacy applications configured using the integratedpipeline.

Who Am I?Unison can provide IIS and ASP.NET based applications a wide array of identity integration options. TheASP.NET Secure Last Mile layer is a standard .NET IHttpModule that transparently decodes the SecureLast Mile header and provides your application identity data.

InpersonationIIS is often deployed with Active Directory to support users. This offers the advantage of usingAD as a single point of management for identity information. Unison can integrate with applicationsusing Microsoft's extensions to Kerberos called S4U2Self and S4U2Proxy, also known as ConstrainedDelegation and impersonation. This allows applications that rely on Kerberos tokens and authorizationsin AD groups to continue to use them. When using impersonation, the user's identity can be taken for thetypical Windows Identity Foundation objects.

IPrincipal ObjectTo retrieve a user's IPrincipal object:

System.Security.Principal.IPrincipal user = Context.User;String loginID = user.Identity.Name;

Role CheckTo check a user's roles:

System.Security.Principal.IPrincipal user = Context.User; if (user.IsInRole("MyRole")){ //do something}

InjectionIf Active Directory is not being used for web applications Unison supports injection in a similar fashionas with J2EE and LAMP applications. Using injection the Windows Identity Framework objects are stillavailable, but an application can also leverage Secure Headers.

IPrincipal ObjectTo retrieve a user's IPrincipal object:

System.Security.Principal.IPrincipal user = Context.User;String loginID = user.Identity.Name;


14

Role CheckTo check a user's roles:

System.Security.Principal.IPrincipal user = Context.User; if (user.IsInRole("MyRole")){ //do something}

Secure HeadersUnison can create headers which are encrypted transparently to the application and can be retrieved usingstandard ASP.NET code for retrieving headers:

Request.Headers.GetValues(“USER_ID”);

ASP.NET IHttpModuleThe ASP.NET IHttpModule for IIS provides the bridge from Unison to IIS. It will support either anASP.NET application running in a classic pipeline or a legacy application running an integrated pipeline.To deploy the module:

1. Copy the TremoloLastMileDotNet.dll into the application's bin directory OR install into c:\Windows\Assemblys

2. Create a Last Mile Security filter in Unison

3. Add the "appSettings" section of the Last Mile configuration to the "configuration" section of theWeb.config file

4. Add the Last Mile module to the configuration.system.webServer.modules section of Web.config

The following configuration options are available for the IHttpModule:


headerName The name of the Last Mile header tremoloHeader

key Base 64 encoded key used todecrypt the Last Mile header

createHeaders If true, the attributes configured inthe Last Mile header are added asheaders to the request

true/false

validate If true will validate that the LastMile header is for the correct URIand in the correct time span

true/false

createUser If true, will create a WindowsIdentity Foundation object for theuser

true/false

impersonate If true will create the WindowsIdentity Foundation object viaimpersonation (S4U2Self &S4U2Proxy)

true/false


15


upnAttributeName The name of the attribute from theLat Mile header that represents theuser's login id

true/false

ApacheThe Apache HTTPD server is supported using an authentication module that works similarlyto mod_auth_ldap or any other authentication module in Apache. This module is stateless anddoes not maintain a session however it will, on each request, either create headers or set theHTTP_REMOTE_USER environment variable.

Who Am I?Each language that runs on Apache (ie PHP, PERL, Python, Ruby, etc..) has its own methods for extractinga user id from Apache (or a header). See each platform's documentation for how to extract the user's identitybased on the HTTP_REMOTE_USER environment variable or a header created by a Secure Header.

mod_auth_tremoloThe mod_auth_tremolo Apache module requires:

1. httpd

2. openssl

3. boost-date

The steps for deploying mod_auth_tremolo are:

1. Copy mod_auth_tremolo.so to the Apache modules directory

2. Add "LoadModule auth_tremolo_module modules/mod_auth_tremolo.so" to the httpd.conf file

3. Inside of the context that the Last Mile module will have context, add the configuration formod_auth_tremolo

The following configuration options are available for mod_auth_tremolo:


AuthType Apache configuration to specifyhow a user is authenticated

TremoloLastMile

TremoloHeaderName The name of the Last Mile header tremoloHeader

TremoloEncodedKey Base 64 encoded key used todecrypt the Last Mile header

TremoloCreateHeaders If On, the attributes configured inthe Last Mile header are added asheaders to the request

On/Off

TremoloUidAttributeName The name of the attribute from theLat Mile header that represents theuser's login id

uid

Require Apache configuration option tospecify who is authorized

valid-user


16

IdP Initiated SAML2Some applications will not easily accept a header or other means to externalize the authentication of auser, but they will accept a SAML2 token using IdP initiated assertions. To configure this method, see thePre-Authentication HTTP Filter configuration in the Unison Administration Reference Guide for detailson how to configure this option.

Who Am I?See the application's documentation on how to integrate.

Generic HeadersIn the event that an application can not support a Last Mile configuration Unison is capable of creatinggeneric HTTP headers using a Result Group that will be configured on the application. This method isthe least secure of all methods as these headers can easily be spoofed by bypassing Unison. To protectagainst this scenario it is recommended that HTTPS Mutual Authentication is configured between Unisonand the application's web server.

Who Am I?See the application's documentation for how to extract injected HTTP headers.

17

Chapter 3. LDAP Virtual Directory

IntroductionUnison utilizes an internal virtual directory for accessing user data. This directory can use LDAPdirectories, Active Directory forests, relational databases and even custom stores like web services.Unison’s virtual directory supports only the search and bind LDAP operations. Entry modification andaddition are not supported via the LDAP interface. To update data, it’s suggested that you integrate withthe workflow engine covered in this guide.

Schema NormalizationAn LDAP virtual directory often combines disparate directory sources, such as an Active Directory anda standard inetOrgPerson directory such as Sun Directory and a relational database. To combine thesesources into a usable format Unison must normalize the attributes into a common format. The formatUnison uses is the inetOrgPerson LDAP schema. The below table has common attributes and how theymap in Unison.

Use Active Diretory inetOrgPerson Unison

User Name / Identifier samAccountName uid uid

Group Membership member uniqueMember uniqueMember

This means that if the directory that stores your users is Active Directory, but you are accessing it viathe Unison virtual directory you would search for the user using the attribute “uid” rather than the ActiveDirectory attribute “samAccountName”.

LDAP Virtual Directory

18

Data Organization

Data is organized in a standard form in Unison’s Directory Information Tree (DIT). All user data is storedunder “o=Tremolo” with each configured directory as an ou underneath with the name as configuredin Unison. For instance if three directories are configured : “Internal Users”, “External Users” and“Contractors” the following DIT would exist:

Interacting with Unison's Virtual Directory

How to Authenticate UsersUser authentication in LDAP is generally a two-step process:

1. Search for the user using whatever username they provided (ie a user id, email address, etc)

2. The search results will return an entry with a distinguished name; use the Distinguished Name in anLDAP Bind operation to authenticate the user

When searching for the user always use the search base of “o=Tremolo” as described in “DataOrganization”.

How to Retrieve User DataUser data is retrieved from Unison’s virtual directory using the standard LDAP search operation. Asexplained in the previous sections, the root of the virtual directory is “o=Tremolo”.

Connection ManagementWhen interacting with a virtual directory there are typically two models:

LDAP Virtual Directory

19

1. Single Pool – A single pool of connections is used with a single service account. This model is mostoften used when only retrieving user data from the virtual directory.

2. Dual Pool – Two pools are utilized. The first is referred to as a “Search” pool and is used for looking upuser data. This pool uses a single service account like the pool in the “Single Pool” model. The secondpool is used for LDAP Bind operations to authenticate users. This pool is only used for authenticationso no service account is used.

For security and performance reasons option #2 is recommended when performing authentications. Whilea single pool could be used it would require a rebind on every search operation or complex logic fortracking which account the current connection is bound to often injecting security risks.

20

Chapter 4. Provisioning APIIntroduction

Unison provides a simple api for interacting with the virtual directory and workflow engines. The APIcan be used to search for users or execute workflows to update or create users. The API operations aredescribed below and rely on JSON for encapsulating requests and data. The API is authenticated usingSSL mutual authentication. To get started you will need:

1. An HTTP api that recognizes 302 redirects and can manage cookies

2. A certificate and key that is trusted by Unison

3. The base URL for the Unison server

Most modern HTTP APIs can satisfy these requirements.

How the API WorksWhen using the RESTful API the sequence is:

1. Login by accessing the login service

2. HTTP GET on the user lookup API

3. HTTP POST on the workflow API

When calling the login API authentication is performed based on the certificate used to establishthe SSL session. The user lookup API can look for a user based on their uid, a filter or dn.Finally, the workflow API is used to push user data into a workflow. The workflow engine isdata centric, not CRUD centric. This means that the engine will perform a sync. Its recommendedto use a JSON library when encoding JSON. All operations result in an implementation ofthe com.tremolosecurity.provisioning.service.util.ProvisioningResult class. See the SDK for specificproperties on this class. If an api call is successful there will be at least one property called "success" witha value of "true". The SDK provides implementations for serializing and deserializing responses in bothJava and .Net.

Reliability and Asynchronous ExecutionBy default all workflows executed by the api are asynchronous and "reliable". Responses are returnedbefore the workflow is completed and if a step should fail for some reason, ie a directory or database isdown, the task is retried.

Operations

LoginThe login operation establishes a session for the user associated with the SSL certificate used for SSLmutual authentication to be able to interact with the API. Once this operation is complete a session cookieis generated and used moving forward.

Operation Login

URI /services/wf/login

Provisioning API

21

HTTP Operation GET

Parameters None

Return HTTP 200;

{success:"true"}

User LookupThe web services API provides a simple user lookup system for getting user attributes. This interface is notmeant to replace the LDAP Virtual Directory but is meant to provide a simple way for systems interactingwith Unison’s provisioning services to retrieve user information as Unison sees it. The service can onlyreturn a single user. A user can be looked up in three ways:

1. UID – Unison will look up the user based on their uid attribute

2. Distinguished Name – Searches for the user based on their distinguished name inside of Unison’s virtualdirectory

3. LDAP Filter – Uses an LDAP filter to search for the user

The response from the service is a JSON object that encapsulates the user with the following syntax:

{ "success":true, "user": { "uid":"testsaml2", "dn":"uid\u003dtestsaml2,ou\u003dinternal,ou\u003dGenericLDAP,o\u003dTremolo", "directory":"GenericLDAP", "attributes": [ {"values":["testsaml2"],"name":"uid"}, {"values":["Boston"],"name":"l"}, {"values":["SAML2"],"name":"sn"}, {"values":["Test SAML2"],"name":"cn"}, {"values":["inetOrgPerson"],"name":"objectClass"} ], "groups":["linkedSAMLUsers"] }}

If no entry is found then success will be "false" and there will be no user object.

Property Description

uid The unqiue user id mapped to the uid attribute

dn The distinguished name inside of the Unison virtualdirectory

attributes List of name/value pairs of attributes. Each attributeis a list of strings

directory The name of the directory in Unison the user wasfound in

groups List of groups the user is a member of

Provisioning API

22

Below are the options for calling the user lookup service

Operation User Lookup

URI /services/wf/search

HTTP Operation GET

Parameters Search – One of: uid, dn or filter Restrict Attributes – attr for each attribute (ieattr=cn&attr=sn&attr=mail)

Return HTTP 200; text/json; Described above

Execute WorkflowUnison’s workflow engine can be utilized by applications to create users, update their attributes orreset their passwords. Workflows are not CRUD, individual target implementations are responsible forsynchronizing data. There are two types of workflows:

1. Full Synchronization – All attributes are synchronized, any missing attributes or groups are removedfrom the user

2. Add-Only Synchronization – The attributes that are in the request are added, but missing attributes andgroups are not removed

Work with your Unison administrator to build out the appropriate workflows. The request for a workflowmust contain JSON encoded object that tells Unison which workflow to execute and the user data for theworkflow.

{ "name":"test", "uidAttributeName":"uid", "user": { "attributes": [ {"values":["testsaml5"],"name":"uid"}, {"values":["Test SAML5"],"name":"cn"}, {"values":["SAML5"],"name":"sn"}, {"values":["Boston"],"name":"l"} ], "groups":[], "userPassword":"mypassword" }, "reason":"To do my job", "requestParams": { "param1":"value1", "param2":"value2" }}

The request has these properties:

Property Description

Provisioning API

23

name The name of the workflow to execute

uidAttributeName The name of the attribute used to determine theuser’s id

user.attributes List of name/values pairs of attributes. Eachattribute is a list of strings called "values" with aname called "name"

user.groups List of groups the user is a member of

user.userPassword An optional password that may be set on useraccounts

reason An optional reason for the request

requestParams A map of names to values for arbitrary parametersto be passed to a workflow

Below are the options for calling the user lookup service

Operation Execute Workflow

URI /services/wf/execute

HTTP Operation POST

Parameters wfcall – URL Encoded JSON request

Return HTTP 200;

{success:"true"}

Executed WorkflowsThis service will return a list of workflows that have been succesfully completed by the user specified in the"user" parameter. This is useful when listing out which workflows a user can choose from but excludingthose that have already been executed.

Operation Executed Workflows

URI /services/wf/executed

HTTP Operation GET

Parameters user – User's identifier, maps to the users.userKey field in the audit database

Return HTTP 200;

{ success:"true", workflowIds:["workflowName1",workflowName2"]}

Execute ApprovalUse this web service to acton on an approval request for a specific workflow. This call can either be anapproval or a denial of the request with an optional reason.

Operation Executed Approval

URI /services/approvals/execute

HTTP Operation GET

Provisioning API

24

Parameters • approvalID - The id of the approval request (from List Approvals)

• approver - The name of the approver acting on the request, should map to theapprovers.userKey field

• approved - true or false, if the request is approved or not

• reason - The reason for this response

Return HTTP 200;

{ success:"true"}

List ApprovalsThis service lists the open approvals for a given user. Use the output of this service when executing anapproval.

Operation List Approvals

URI /services/approvals/list

HTTP Operation GET

Parameters • approver - The name of the approver acting on the request, should map to theapprovers.userKey field

• approvalID - The id of the approval for a more detailed response, 0 for a list of summaries

Return If no approvalID is specified - HTTP 200;

{ "success":true, "summaries": { "approvals": [ { "workflow":1, "approval":1, "label":"Approve Access to LDAP", "user":"testsaml10", "wfStart":1392512787000, "approvalStart":1392512788000, "wfName":"testApproval", "wfDescription":"Select this workflow if you don\u0027t have access to the portal", "wfLabel":"Gain access to the portal", "reason":"this is a test workflow webservice" } ] }}

If an approvalID is specified - HTTP 200;

Provisioning API

25

{ "success":true, "approvalDetail": { "userObj": { "userID":"testsaml10", "groups":[], "resync":false, "keepExternalAttrs":false, "JitAddToAuditDB":true, "requestReason":"this is a test workflow webservice", "attribs": { "uid": { "values":["testsaml10"], "name":"uid" }, "l": { "values":["Boston"], "name":"l" }, "sn": { "values":["SAML5"], "name":"sn" }, "cn": { "values":["Test SAML5"], "name":"cn" } } }, "workflow":1, "approval":1, "label":"Approve Access to LDAP", "user":"testsaml10", "wfStart":1392513182000, "approvalStart":1392513182000, "wfName":"testApproval", "wfDescription":"Select this workflow if you don\u0027t have access to the portal", "wfLabel":"Gain access to the portal", "reason":"this is a test workflow webservice" }}

When settings approvalID to 0 a list of summaries for all open approval requests for the user are returned.Each summary has the following attributes:

Provisioning API

26

approval ID of the approval

label Label for the approval request

user User's name, maps to the users.userKey value

wfStart Timestamp of when the workflow was initiated, asmilliseconds since epoch

approvalStart Timestamp of when the approval was initiated, asmilliseconds since epoch

wfName Name of the workflow the approval is a part of

wfDescription Description of the workflow the approval is a part of

wfLabel Descriptive label for the workflow the approval isa part of

reason The reason for the original request

If an approvalID is specified the above attributes are returned for a single approval request along with thedetails of the user the workflow is being acted upon.

List OrganizationsUse this service to lookup the organizations that a user is a member of. Organizations are returned in ahierarchy.

Operation List Organizations

URI /services/wf/orgs

HTTP Operation GET

Parameters • uid - User identifier

• uidAttr - The name of the attribute that holds the user identifier (ie uid, mail, etc)

Return If no approvalID is specified - HTTP 200;

{ "success":true, "org": { "id":"{123-456-7890123SDF}", "name":"Root", "description":"Root of all organizations", "subOrgs": [ { "id":"{123-456-7890123SDF}", "name":"Org1", "description":"First organization", "subOrgs":[] }, { "id":"{123-456-7890123SDF}", "name":"Org2", "description":"Second organization", "subOrgs":[]

Provisioning API

27

} ] }}

Only organizations that the user is authorized for are returned.

List WorkflowsThis service lists out all available workflows. An optional uuid parameter may be specified to list theworkflows for a particular organization.

Operation List Workflows

URI /services/wf/list

HTTP Operation GET

Parameters • uuid - Optional: id of organization to limit returned workflows from

Return HTTP 200;

{ "success":true, "wfDescriptions": [ { "name":"wf1", "label":"Application 1", "description","Workflow to request application1" }, { "name":"wf2", "label":"Application 2", "description","Workflow to request application2" }, { "name":"wf3", "label":"Application 3", "description","Workflow to request application3" } ]}

List Portal URLsThe List Portal URLs service is used in conjunction with the Portal URLs management screen in Unisonto provide a list of links of a user's authorized applications. This API is self contained, all icons for linksare provided as Base64 encoded PNG files. These images can be displayed in a browser using the "data"method of an img tag:

<img height="240" width="210" src"data:image/png;base64,..." />

Provisioning API

28

Where the "..." is the base64 encoding of the image file returned by this web service.

Operation List Portal URLs

URI /services/portal/urls

HTTP Operation GET

Parameters • uid - The user's unique identifier

• uidAttr - The name of the attribute on the user that store's their unique identifier

Return HTTP 200;

{ "success":true, "portalURLs": [ { "name":"app1", "label":"Application 1", "icon","iVBORw0KGgoAAAANSUhEUgAAANIAAADwCAYAAAB1/Tp/AAAABmJLR0QA/wD/AP+gvaeTAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAB3RJTUUH3wEEAjUzg9vNcwAACc5JREFUeNrt3V+MHVUBgPFv+1dSQMHyQgttA30yovS2umlNEF7KhCiaFEsrRiMpYiVGKMXkxiYYcBJbKoTQqpCYqLVBWhMTbQYUBaKUah0kTd+6UktriaGKQhvsdtv1YWbLst1/vWfu3p2Z75dseCgzm3v2fDlz586dAUmSJEmSJEmSJEmSJEmSJEmSJEmSJEmSJEmSJEmSJEmSJEmSJFVHl0Og8Wg0ky7gFuA2YAlwGTC1RkNwGngD2AtsA3akcdRvSDqfiC4HfgF0Oxpn7QZWpHH0uiFpPBHNAfYAcx2Nc7wGdKdx9LohaazDud2uRGOuTJ+Y4jhoFCuNaExLgVsMSaO5zSEY3zgZkkaz2CEYlyWGpNFc6hCMy2WGpNH82yEYl6mGpNHsdQjGx5A0mm0OgSEp3FPASw7D2PxAVqPKLw/aA1zhaLgiqUVpHB0FbgCOOBquSApfma4GnsNr7joXUqOZvA/4OLAIuBpYCFwJXARcCMyiXpfkt1MvsA/YkMbR08ZU8pAazWQ+sAqIgI8BMx3uCXUGuMmYShhSo5lMA1YDa4BlHjp23F/SOFriYV5JQmo0k5nA7cB6YL7DOnkO89I4asuRgDG915QCBnQ5sB/YYkSTzox27TiNox7gejybF7YiNZrJB4GtwOccxskrjaO2Hl67MgWsSI1mshR4xYjkytRiSI1m8g3gBY+NZUwtHNrl39/fBKxz6nho52FeCytSflr7x0YkV6YWQ8pXoh8BX3CqyJhaX5EeMqLS6jWmSRBSo5ncDdzjfCytfa5MHQ6p0UyWARudi6XVD9zvYV4HQ2o0k9nAk8A052PpnAJS4FNpHO3yPdPE6BohpB3AijYdsz9P9jlUCvwNOAa8ncbRaRuorqqfGu8a5gXfCCQF/55DZCcttqdx5C2ejGlupUPKr+LeT/bluyK8BWwAtqZx1OdUUlVjGvoeaU2BEf0R+FAaR48akYa8Z3qwsitSfvVCDzCvgP0+DnzNgDTCW4dfUrFvTA8+K/f5giLamMbRN50yqktEQw/t7ihiJTIi1S2isyE1mskCsgcmhfgDsNYpo7pFNHhFWh24n/8Cq/wsSHWMaHBIUeB+NqRx9A+njeoYEcCURjO5AAi5ZdNB4PtOG9U1ooEVqZuwu81s9jS36hzRQEiLArbvBbY7dVTniAZCWhiw/XNpHL3p9FGdIxoIKeSSoOedPqp7RAMhhTxA6mWnkOoe0UBIFwds3+M0MqK6RzQQ0qyA7Y85lYwIH9kTHNIJp5MRORpZSC0/kcJLgozI0Xg3JMmIDElGZEgyohAngTuZBLf6MiSVOaLPpHH0QybBffMMSWWO6GmYHDehNCSVOqIBnY7JkFT6iCZDTIakSkTU6ZgMSZWJqJMxGZIqFVGnYjIkVS6iTsRkSKpkRBMdkyEZUWUjmsiYDMmIKh3RRMVkSEZU+YgmIiZDMqJaRNTumAzJiGoTUTtjMiQjqlVEbYrptCEZUe0iakNMbxiSEdUyooJj2mtIRlTbiAqMaZshGVGtIyogppeAHYZkRLWPaJiYDo9zkyPAijSO+g3JiIzo3Ji685VmNHuA7jSOjoKnv43IiIaL6SiwDLgV+DXwT+BU/t9dwCpg6eDHvU5z6hmREQ0bUz/w8/xnTK5IRmREBTAkIzIiQ5IRGZKMyJBkREZkSEZkRIZkREZkSDIiQ5IRGZEhGZERGZIRGZEhyYgMSUZkRIZkREZkSEZkRIYkIzIkGZERGZIRGZEhGZERGZKMyJBkREZkSEZkRIZkREZkSDIiQ5IRyZCMyIgMyYiMyJBkRDIkI1IxfBqFEbVzHG4C7geuAWaM8r/2AvuADWWN3BXJiNoZ0a+AxWNERP7vi4Fd+fgZkhEZUe7bQFcL8/EBQzIiI3rXNRO8nSFVIKLlRnSO6S1uN8OQ6hnRVcBOI6o3Qwp3F3ChERmSwlxlRDKkcD1GJEMK9xhw3IgMSQHSOHoV+CzwjhEZksJieha4uQMxGZEhVS6m305wTEZkSMZkRIakzsZkRIZkTEZkSOpsTEZkSMZkRIakzsZkRIakwJiMyJAUGJMRGZICYzIiQ1JgTEZkSDqPmD7NuVeNHwduNiJD0vhjehb4CPAw2W2rHgE+msbRM45O+XiDyM7G9CpwjyPhiiTJkCRDkgxJMiRJhiQZkmRIkiFJMiTJkCRDkgxJkiFJhiSVKKQzrW7caCZTHUIVPC9OlzWkEwHbz3LaaBgXBWx7oo4hzXbOqOB5cbysIb0VsP3VzhkNI+QB1W+XNaTDAdsvcs5ouLdJAdu+VtaQDgRsf51zRgXPiwN1DOmGRjO5xHmjs0tRM7kUuD5gFz1lDemvAdvPAFY7fTTIamB6wPYvlzWkPUBvwD7W+XmS8tVoGnBvwC5OAn8qZUhpHL0D7A3YxwLgTqeRgLXAvIDt/5zG0f/KuiIBJIH7ebDRTC53HtV6NZoLPBC4m6Ssr38gpO1Af8B+PgBs9xCv1od0TwIXB+ymP5+H5Q0pjaODwO7AfV0HPOq0qqUtwLLAfbyYxtGhsq9IAI8XcYzcaCbfcV7VajX6LnBHAbt6oszj0DVoQKaTncO/soD9bgW+nsbRaadapQ/nthQU0d+BhWkc9ZV+RUrj6BSwqaD9rgV+5wmIykY0B/h9QREBbCpzRO9ZkfIBmgnsp7iLUf8DfAv4gatTZVahr5KdnXt/Qbs9AHw4jaOTlQkpH6wbKf405EFgM7A9jaM3nZKlC+gSsisW7gXmF7z75Wkc/absY9Q1wsDtAFa04ff15ocEL5BdCtIDHANOuGJNimCmkn1Zc3Z+VLII+CTZtXMz2vArn0rjaGUVxm6kkGYDrwBznF5qkyNkz8z9VxVezLA3P0nj6BiwEujz76026ANWViWiEUPKY3oRuM+/udpgfRpHu6v0gka9HVcaRw+TPb5eKsrmNI4eqdqLGs997dYBP/XvrwL8BFhfxRc2ZkhpHPUDXzYmFRDR7fl8ql9IeUx9wBeB7zkf1MrhHPClsl+9MJqu892g0UzuBjYC05wfGkMfcF/+XrvSulrZqNFMlpF9/2Suc0UjOALcmp/9rbyWbqKfD861wE7ni4axE7i2LhG1vCINWZ2WA4/hXVeVXfJ1VxpHz9TthXcVsZP8qvE1ZBc1znM+1c4h4CHgibJfxd3RkAYFNY3sKuGvAEudX5W3m+yb1T+r8hm5CQ9pSFQL8qgiYAntuXpYE6uX7NZtCdlXYg46JG0OaUhUFwDdZCcoFuY/V5DddWZW/uPTAzvvDNljfk6QPaXkcP6+5wDZ11725PdBlCRJkiRJkiRJkiRJkiRJkiRJkiRJkiRJkiRJkiRJkiRJkiRJkirs//X1SZimsofVAAAAAElFTkSuQmCC", "url","https://myapp.company.com/", "org","{123-456-7890}" }, { "name":"app2", "label":"Application 2", "icon","iVBORw0KGgoAAAANSUhEUgAAANIAAADwCAYAAAB1/Tp/AAAABmJLR0QA/wD/AP+gvaeTAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAB3RJTUUH3wEEAjUzg9vNcwAACc5JREFUeNrt3V+MHVUBgPFv+1dSQMHyQgttA30yovS2umlNEF7KhCiaFEsrRiMpYiVGKMXkxiYYcBJbKoTQqpCYqLVBWhMTbQYUBaKUah0kTd+6UktriaGKQhvsdtv1YWbLst1/vWfu3p2Z75dseCgzm3v2fDlz586dAUmSJEmSJEmSJEmSJEmSJEmSJEmSJEmSJEmSJEmSJEmSJEmSJFVHl0Og8Wg0ky7gFuA2YAlwGTC1RkNwGngD2AtsA3akcdRvSDqfiC4HfgF0Oxpn7QZWpHH0uiFpPBHNAfYAcx2Nc7wGdKdx9LohaazDud2uRGOuTJ+Y4jhoFCuNaExLgVsMSaO5zSEY3zgZkkaz2CEYlyWGpNFc6hCMy2WGpNH82yEYl6mGpNHsdQjGx5A0mm0OgSEp3FPASw7D2PxAVqPKLw/aA1zhaLgiqUVpHB0FbgCOOBquSApfma4GnsNr7joXUqOZvA/4OLAIuBpYCFwJXARcCMyiXpfkt1MvsA/YkMbR08ZU8pAazWQ+sAqIgI8BMx3uCXUGuMmYShhSo5lMA1YDa4BlHjp23F/SOFriYV5JQmo0k5nA7cB6YL7DOnkO89I4asuRgDG915QCBnQ5sB/YYkSTzox27TiNox7gejybF7YiNZrJB4GtwOccxskrjaO2Hl67MgWsSI1mshR4xYjkytRiSI1m8g3gBY+NZUwtHNrl39/fBKxz6nho52FeCytSflr7x0YkV6YWQ8pXoh8BX3CqyJhaX5EeMqLS6jWmSRBSo5ncDdzjfCytfa5MHQ6p0UyWARudi6XVD9zvYV4HQ2o0k9nAk8A052PpnAJS4FNpHO3yPdPE6BohpB3AijYdsz9P9jlUCvwNOAa8ncbRaRuorqqfGu8a5gXfCCQF/55DZCcttqdx5C2ejGlupUPKr+LeT/bluyK8BWwAtqZx1OdUUlVjGvoeaU2BEf0R+FAaR48akYa8Z3qwsitSfvVCDzCvgP0+DnzNgDTCW4dfUrFvTA8+K/f5giLamMbRN50yqktEQw/t7ihiJTIi1S2isyE1mskCsgcmhfgDsNYpo7pFNHhFWh24n/8Cq/wsSHWMaHBIUeB+NqRx9A+njeoYEcCURjO5AAi5ZdNB4PtOG9U1ooEVqZuwu81s9jS36hzRQEiLArbvBbY7dVTniAZCWhiw/XNpHL3p9FGdIxoIKeSSoOedPqp7RAMhhTxA6mWnkOoe0UBIFwds3+M0MqK6RzQQ0qyA7Y85lYwIH9kTHNIJp5MRORpZSC0/kcJLgozI0Xg3JMmIDElGZEgyohAngTuZBLf6MiSVOaLPpHH0QybBffMMSWWO6GmYHDehNCSVOqIBnY7JkFT6iCZDTIakSkTU6ZgMSZWJqJMxGZIqFVGnYjIkVS6iTsRkSKpkRBMdkyEZUWUjmsiYDMmIKh3RRMVkSEZU+YgmIiZDMqJaRNTumAzJiGoTUTtjMiQjqlVEbYrptCEZUe0iakNMbxiSEdUyooJj2mtIRlTbiAqMaZshGVGtIyogppeAHYZkRLWPaJiYDo9zkyPAijSO+g3JiIzo3Ji685VmNHuA7jSOjoKnv43IiIaL6SiwDLgV+DXwT+BU/t9dwCpg6eDHvU5z6hmREQ0bUz/w8/xnTK5IRmREBTAkIzIiQ5IRGZKMyJBkREZkSEZkRIZkREZkSDIiQ5IRGZEhGZERGZIRGZEhyYgMSUZkRIZkREZkSEZkRIYkIzIkGZERGZIRGZEhGZERGZKMyJBkREZkSEZkRIZkREZkSDIiQ5IRyZCMyIgMyYiMyJBkRDIkI1IxfBqFEbVzHG4C7geuAWaM8r/2AvuADWWN3BXJiNoZ0a+AxWNERP7vi4Fd+fgZkhEZUe7bQFcL8/EBQzIiI3rXNRO8nSFVIKLlRnSO6S1uN8OQ6hnRVcBOI6o3Qwp3F3ChERmSwlxlRDKkcD1GJEMK9xhw3IgMSQHSOHoV+CzwjhEZksJieha4uQMxGZEhVS6m305wTEZkSMZkRIakzsZkRIZkTEZkSOpsTEZkSMZkRIakzsZkRIakwJiMyJAUGJMRGZICYzIiQ1JgTEZkSDqPmD7NuVeNHwduNiJD0vhjehb4CPAw2W2rHgE+msbRM45O+XiDyM7G9CpwjyPhiiTJkCRDkgxJMiRJhiQZkmRIkiFJMiTJkCRDkgxJkiFJhiSVKKQzrW7caCZTHUIVPC9OlzWkEwHbz3LaaBgXBWx7oo4hzXbOqOB5cbysIb0VsP3VzhkNI+QB1W+XNaTDAdsvcs5ouLdJAdu+VtaQDgRsf51zRgXPiwN1DOmGRjO5xHmjs0tRM7kUuD5gFz1lDemvAdvPAFY7fTTIamB6wPYvlzWkPUBvwD7W+XmS8tVoGnBvwC5OAn8qZUhpHL0D7A3YxwLgTqeRgLXAvIDt/5zG0f/KuiIBJIH7ebDRTC53HtV6NZoLPBC4m6Ssr38gpO1Af8B+PgBs9xCv1od0TwIXB+ymP5+H5Q0pjaODwO7AfV0HPOq0qqUtwLLAfbyYxtGhsq9IAI8XcYzcaCbfcV7VajX6LnBHAbt6oszj0DVoQKaTncO/soD9bgW+nsbRaadapQ/nthQU0d+BhWkc9ZV+RUrj6BSwqaD9rgV+5wmIykY0B/h9QREBbCpzRO9ZkfIBmgnsp7iLUf8DfAv4gatTZVahr5KdnXt/Qbs9AHw4jaOTlQkpH6wbKf405EFgM7A9jaM3nZKlC+gSsisW7gXmF7z75Wkc/absY9Q1wsDtAFa04ff15ocEL5BdCtIDHANOuGJNimCmkn1Zc3Z+VLII+CTZtXMz2vArn0rjaGUVxm6kkGYDrwBznF5qkyNkz8z9VxVezLA3P0nj6BiwEujz76026ANWViWiEUPKY3oRuM+/udpgfRpHu6v0gka9HVcaRw+TPb5eKsrmNI4eqdqLGs997dYBP/XvrwL8BFhfxRc2ZkhpHPUDXzYmFRDR7fl8ql9IeUx9wBeB7zkf1MrhHPClsl+9MJqu892g0UzuBjYC05wfGkMfcF/+XrvSulrZqNFMlpF9/2Suc0UjOALcmp/9rbyWbqKfD861wE7ni4axE7i2LhG1vCINWZ2WA4/hXVeVXfJ1VxpHz9TthXcVsZP8qvE1ZBc1znM+1c4h4CHgibJfxd3RkAYFNY3sKuGvAEudX5W3m+yb1T+r8hm5CQ9pSFQL8qgiYAntuXpYE6uX7NZtCdlXYg46JG0OaUhUFwDdZCcoFuY/V5DddWZW/uPTAzvvDNljfk6QPaXkcP6+5wDZ11725PdBlCRJkiRJkiRJkiRJkiRJkiRJkiRJkiRJkiRJkiRJkiRJkiRJkirs//X1SZimsofVAAAAAElFTkSuQmCC", "url","https://myapp2.company.com/", "org","{123-456-7890}" }, { "name":"app3", "label":"Application 3", "icon","iVBORw0KGgoAAAANSUhEUgAAANIAAADwCAYAAAB1/Tp/AAAABmJLR0QA/wD/AP+gvaeTAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAB3RJTUUH3wEEAjUzg9vNcwAACc5JREFUeNrt3V+MHVUBgPFv+1dSQMHyQgttA30yovS2umlNEF7KhCiaFEsrRiMpYiVGKMXkxiYYcBJbKoTQqpCYqLVBWhMTbQYUBaKUah0kTd+6UktriaGKQhvsdtv1YWbLst1/vWfu3p2Z75dseCgzm3v2fDlz586dAUmSJEmSJEmSJEmSJEmSJEmSJEmSJEmSJEmSJEmSJEmSJEmSJFVHl0Og8Wg0ky7gFuA2YAlwGTC1RkNwGngD2AtsA3akcdRvSDqfiC4HfgF0Oxpn7QZWpHH0uiFpPBHNAfYAcx2Nc7wGdKdx9LohaazDud2uRGOuTJ+Y4jhoFCuNaExLgVsMSaO5zSEY3zgZkkaz2CEYlyWGpNFc6hCMy2WGpNH82yEYl6mGpNHsdQjGx5A0mm0OgSEp3FPASw7D2PxAVqPKLw/aA1zhaLgiqUVpHB0FbgCOOBquSApfma4GnsNr7joXUqOZvA/4OLAIuBpYCFwJXARcCMyiXpfkt1MvsA/YkMbR08ZU8pAazWQ+sAqIgI8BMx3uCXUGuMmYShhSo5lMA1YDa4BlHjp23F/SOFriYV5JQmo0k5nA7cB6YL7DOnkO89I4asuRgDG915QCBnQ5sB/YYkSTzox27TiNox7gejybF7YiNZrJB4GtwOccxskrjaO2Hl67MgWsSI1mshR4xYjkytRiSI1m8g3gBY+NZUwtHNrl39/fBKxz6nho52FeCytSflr7x0YkV6YWQ8pXoh8BX3CqyJhaX5EeMqLS6jWmSRBSo5ncDdzjfCytfa5MHQ6p0UyWARudi6XVD9zvYV4HQ2o0k9nAk8A052PpnAJS4FNpHO3yPdPE6BohpB3AijYdsz9P9jlUCvwNOAa8ncbRaRuorqqfGu8a5gXfCCQF/55DZCcttqdx5C2ejGlupUPKr+LeT/bluyK8BWwAtqZx1OdUUlVjGvoeaU2BEf0R+FAaR48akYa8Z3qwsitSfvVCDzCvgP0+DnzNgDTCW4dfUrFvTA8+K/f5giLamMbRN50yqktEQw/t7ihiJTIi1S2isyE1mskCsgcmhfgDsNYpo7pFNHhFWh24n/8Cq/wsSHWMaHBIUeB+NqRx9A+njeoYEcCURjO5AAi5ZdNB4PtOG9U1ooEVqZuwu81s9jS36hzRQEiLArbvBbY7dVTniAZCWhiw/XNpHL3p9FGdIxoIKeSSoOedPqp7RAMhhTxA6mWnkOoe0UBIFwds3+M0MqK6RzQQ0qyA7Y85lYwIH9kTHNIJp5MRORpZSC0/kcJLgozI0Xg3JMmIDElGZEgyohAngTuZBLf6MiSVOaLPpHH0QybBffMMSWWO6GmYHDehNCSVOqIBnY7JkFT6iCZDTIakSkTU6ZgMSZWJqJMxGZIqFVGnYjIkVS6iTsRkSKpkRBMdkyEZUWUjmsiYDMmIKh3RRMVkSEZU+YgmIiZDMqJaRNTumAzJiGoTUTtjMiQjqlVEbYrptCEZUe0iakNMbxiSEdUyooJj2mtIRlTbiAqMaZshGVGtIyogppeAHYZkRLWPaJiYDo9zkyPAijSO+g3JiIzo3Ji685VmNHuA7jSOjoKnv43IiIaL6SiwDLgV+DXwT+BU/t9dwCpg6eDHvU5z6hmREQ0bUz/w8/xnTK5IRmREBTAkIzIiQ5IRGZKMyJBkREZkSEZkRIZkREZkSDIiQ5IRGZEhGZERGZIRGZEhyYgMSUZkRIZkREZkSEZkRIYkIzIkGZERGZIRGZEhGZERGZKMyJBkREZkSEZkRIZkREZkSDIiQ5IRyZCMyIgMyYiMyJBkRDIkI1IxfBqFEbVzHG4C7geuAWaM8r/2AvuADWWN3BXJiNoZ0a+AxWNERP7vi4Fd+fgZkhEZUe7bQFcL8/EBQzIiI3rXNRO8nSFVIKLlRnSO6S1uN8OQ6hnRVcBOI6o3Qwp3F3ChERmSwlxlRDKkcD1GJEMK9xhw3IgMSQHSOHoV+CzwjhEZksJieha4uQMxGZEhVS6m305wTEZkSMZkRIakzsZkRIZkTEZkSOpsTEZkSMZkRIakzsZkRIakwJiMyJAUGJMRGZICYzIiQ1JgTEZkSDqPmD7NuVeNHwduNiJD0vhjehb4CPAw2W2rHgE+msbRM45O+XiDyM7G9CpwjyPhiiTJkCRDkgxJMiRJhiQZkmRIkiFJMiTJkCRDkgxJkiFJhiSVKKQzrW7caCZTHUIVPC9OlzWkEwHbz3LaaBgXBWx7oo4hzXbOqOB5cbysIb0VsP3VzhkNI+QB1W+XNaTDAdsvcs5ouLdJAdu+VtaQDgRsf51zRgXPiwN1DOmGRjO5xHmjs0tRM7kUuD5gFz1lDemvAdvPAFY7fTTIamB6wPYvlzWkPUBvwD7W+XmS8tVoGnBvwC5OAn8qZUhpHL0D7A3YxwLgTqeRgLXAvIDt/5zG0f/KuiIBJIH7ebDRTC53HtV6NZoLPBC4m6Ssr38gpO1Af8B+PgBs9xCv1od0TwIXB+ymP5+H5Q0pjaODwO7AfV0HPOq0qqUtwLLAfbyYxtGhsq9IAI8XcYzcaCbfcV7VajX6LnBHAbt6oszj0DVoQKaTncO/soD9bgW+nsbRaadapQ/nthQU0d+BhWkc9ZV+RUrj6BSwqaD9rgV+5wmIykY0B/h9QREBbCpzRO9ZkfIBmgnsp7iLUf8DfAv4gatTZVahr5KdnXt/Qbs9AHw4jaOTlQkpH6wbKf405EFgM7A9jaM3nZKlC+gSsisW7gXmF7z75Wkc/absY9Q1wsDtAFa04ff15ocEL5BdCtIDHANOuGJNimCmkn1Zc3Z+VLII+CTZtXMz2vArn0rjaGUVxm6kkGYDrwBznF5qkyNkz8z9VxVezLA3P0nj6BiwEujz76026ANWViWiEUPKY3oRuM+/udpgfRpHu6v0gka9HVcaRw+TPb5eKsrmNI4eqdqLGs997dYBP/XvrwL8BFhfxRc2ZkhpHPUDXzYmFRDR7fl8ql9IeUx9wBeB7zkf1MrhHPClsl+9MJqu892g0UzuBjYC05wfGkMfcF/+XrvSulrZqNFMlpF9/2Suc0UjOALcmp/9rbyWbqKfD861wE7ni4axE7i2LhG1vCINWZ2WA4/hXVeVXfJ1VxpHz9TthXcVsZP8qvE1ZBc1znM+1c4h4CHgibJfxd3RkAYFNY3sKuGvAEudX5W3m+yb1T+r8hm5CQ9pSFQL8qgiYAntuXpYE6uX7NZtCdlXYg46JG0OaUhUFwDdZCcoFuY/V5DddWZW/uPTAzvvDNljfk6QPaXkcP6+5wDZ11725PdBlCRJkiRJkiRJkiRJkiRJkiRJkiRJkiRJkiRJkiRJkiRJkiRJkirs//X1SZimsofVAAAAAElFTkSuQmCC", "url","https://myapp3.company.com/", "org","{123-456-7890}" }, ]}