<?xml version="1.0" encoding="utf-8"?>
<!-- Web.config for Pivotal UX 6.6.3 -->
<configuration>

	<configSections>
		<section name="Systems" type="UxClient.Common.WebConfig.Sections.SystemsSection"/>
		<section name="AttachmentMimeTypes" type="System.Configuration.NameValueFileSectionHandler,System, Version=1.0.3300.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"/>
		<section name="log4net" type="log4net.Config.Log4NetConfigurationSectionHandler, log4net, Version=1.2.10.0, Culture=neutral, PublicKeyToken=1b44e1d426115821"/>
		<section name="HTMLWhiteList" type="UxClient.Common.WebConfig.Sections.HTMLWhiteListSection"/>
		<section name="SingleSignOnProviders" type="UxClient.Common.WebConfig.Sections.SingleSignOnProvidersSection"/>
		<section name="EncryptedSettings" type="System.Configuration.DictionarySectionHandler"/>
	</configSections>

	<!-- Systems. Set of systems served by this UX Server. -->
	<Systems>

		<!-- PivotalEnvironments. Set of Pivotal systems served by this UX Server. -->
		<PivotalEnvironments>

			<!-- PivotalEnvironment. One PivotalEnvironment per Pivotal system supported by the server.
      "name" - The environment name. Must be unique. Used internally as an identifier for each PivotalEnvironment. Example "PCM".
      "description - The text shown in the UX Client to the users. Example "Production PCM".
      "pbsURL" - URL to a machine running a PBS configured to support the stated pivotalSystemName. Example "http://localhost" or "http://pbsserver.lclad.com".
      "crystalReportsAffinityPbsUrl" - Optional. URL to a machine running PBS. Creates an affinity between this UX Server and the specified PBS for accessing Crystal Reports. This property allows the UX Server to run Crystal Reports without sticky sessions in a load balanced environment.
      "pivotalSystemName" - A Pivotal system defined on the PBS machine.  Example "PCM608" 
      "encryptedSettingsKey" - A unique key referencing an EncryptedSettings section element.
      "hidden" - Optional (Defaults to false) Allows an environment to be hidden from the login screen. This system is still accessible using the REST API and SSO redirects.
      
      Example: <PivotalEnvironment name="PivotalPCMProd" description="CRM Production" pbsURL="http://pbsServer" pivotalSystemName="PCM608">
      Example: <PivotalEnvironment name="PivotalPCMTest" description="PCM Test" pbsURL="http://localhost" pivotalSystemName="PCM608Test">
      Example: <PivotalEnvironment name="LoadBalanced" description="Load balanced environment" pbsURL="http://loadBalancer" crystalReportsAffinityPbsUrl="http://pbsServer1" pivotalSystemName="PCM608">
      Example: <PivotalEnvironment name="SsoRedirect" description="Hidden environment - Your SSO IdP might redirect to this environment" pbsURL="http://pbsServer" pivotalSystemName="PCM608", hidden="true">
      -->
			<PivotalEnvironment name="ootbpcm" description="ootbpcm" pbsURL="http://localhost" pivotalSystemName="ootbpcm">

				<!-- PBSURLAuthentication. Optional. This is a service account. It provides the Windows credentials used to authenticate with the IIS ePower folder on the PBS machine, impersonate the end user in PBS, and give access to some objects prior to login.
        If no credentials are specified here then the identity of this web site's application pool is used. The identity must be able to successfully Windows authenticate on the PBS machine, as well as have the required Pivotal permissions.
        This is a service account giving technical access to the PBS URL and must be a user in the Pivotal system with:
        1. XML Impersonation permissions. 
        2. Read permissions on the Users table.
        3. Create, Read, Modify, Delete permissions on the UXClient_Users and UXClient_Users_Token tables.
        4. A Pivotal license.
        This service account is not the end user that the PBS uses for normal business rule processing.
        
        Attributes:
        "domain" - Windows domain.
        "username" - Windows user.
        "password" - User's password.
        "encryptedSettingsKey" - A unique key referencing an EncryptedSettings section element.
        
        To encrypt the configuration read the EncryptedSettings section below.
        Or leave blank and use the application pool identity.
        -->
				<PBSURLAuthentication domain="server" username="administrator" password="Av0lin" encryptedSettingsKey=""/>

				<!-- DemoUser. Controls demo mode.
        "allow" - "true" or "false". Setting to true shows the demo button on the login form. Example "true"
        "pivotalUsername" - The user used for demo access. Must be either a licensed internal Pivotal user in the system or an external user. Example "mobilecrm"
        "encryptedSettingsKey" - A unique key referencing an EncryptedSettings section element.
        
        Example: <DemoUser allow="true" pivotalUsername="mobilecrm" />
        
        -->
				<DemoUser allow="true" pivotalUsername="administrator"/>

				<!-- OAUTHAuthentication. If AuthenticationMode includes OAuth this section will define additional OAUTH 2 properties.
        "allowedUserTypes" - "internal": authenticate licensed Pivotal user using Active Directory; "external": authenticate external user; "both": both internal and external users served.
                             If "both" is used then internal users must use their domain suffix when logging in.
        "defaultWindowsDomain" - Used when allowedUserTypes="internal" and the domain name in the username field on the login form is omitted. Only used when  allowedUserTypes="internal"
        "encryptedSettingsKey" - A unique key referencing an EncryptedSettings section element.
        
        Example: <OAUTHAuthentication allowedUserTypes="internal" defaultWindowsDomain="prod"/>
        
        -->
				<OAUTHAuthentication allowedUserTypes="internal" defaultWindowsDomain="" encryptedSettingsKey=""/>

				<!-- SingleSignOn. If AuthenticationMode includes any SSO modes (SamlSso) this section defines which identity providers this environment can use. 
        If this system will be using only Windows or OAuth this section can be omitted.
        Currently only SAML identity providers are supported so the only child tag of SingleSignOn will be <SAML>. This contains all required SAML <identity providers.
        Within the <SAML> tag you may define any number of PartnerIdentityProvider entries. Each of these should map to 1 PartnerIdentityProvider in your saml.config.
        "name" - The identity provider name, this should match the name of a PartnerIdentityProvider in the saml.config.
        "assertionClaim" Optional - The name of the claim which will be used to authenticate the user. By default this claim is used to match a users Login name from the Users table. This can be changed with matchClaimWithThisUxClientUsersTableField. Claim names can be found in your IdP metadata or some are available here https://msdn.microsoft.com/en-us/library/microsoft.identitymodel.claims.claimtypes_members.aspx. Please note that this is the full claim name and not the friendly name. This property is not required if only one claim attribute is returned.
        "claimTransformationRegex" Optional - A regular expression which will be applied to the incoming claims to transform them. For example ADFS may return Windows names like yourName@domain.com and the example regex below would be used to match everything before the @ so that the claim is transformed from "yourName@domain.com" to simply "yourName" (this assumes this is how users are named in your Pivotal Administration Console).
        "matchClaimWithThisUxClientUsersTableField" - Optional - The name of a field in UXClient_Users table. If a field is provided here it will be used to try to match the value of the claim returned in a SAML assertion. If a match is found with a UXClient_Users record, then UXClient_Users.User_Id is used to identify the Users record. If, for example, Google Apps is the IdP for this environment and it returns email addresses as the user claim then this can be used to provide a value of "Email", resulting in a match against the UXClient_Users.Email field. NOTE: The field specified here must have UNIQUE values.        
        "keepTheseUsersSignedIn" - Optional - Defaults to "false". This flag determines if users attempting to log in with credentials from this IdP will be remembered and have their authorization token stored in their browser's local storage. If this value is "true" then it is equivalent to checking the "Keep me signed in" checkbox in he UX login form. This applies both during SP-initiated SSO and Idp-initiated SSO. If this value is true then users can still manually sign out or uncheck "Keep me signed in" from the Settings window.
        -->
				<SingleSignOn>
					<!--<SAML>                       
            <PartnerIdentityProvider name="http://adfs.server/adfs/services/trust" claimTransformationRegex=".+?(?=@)" keepTheseUsersSignedIn="true"/>
            <PartnerIdentityProvider name="https://accounts.google.com/o/saml2?idpid=" matchClaimWithThisUxClientUsersTableField="Email" />
            <PartnerIdentityProvider name="urn:yourdomain.auth0.com" assertionClaim="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" matchClaimWithThisUxClientUsersTableField="Email" /
			   </SAML>-->
					<SAML>
						<PartnerIdentityProvider name="https://sts.windows.net/1aae25ce-51f0-4c30-bb6b-a76368c89cde/" claimTransformationRegex=".+?(?=@)"/>
					</SAML>
				</SingleSignOn>


				<!-- AppConfig. Configuration of the UX Client.
        "idleLogoutTime" - Amount of time (in minutes) a user can be idle before they are automatically logged out. 60 minutes is used if no value is specified. Set to "0" if no idle timeout is required.
        "googleMapsApiLicense" - Must be provided if mapping functionality used. Determine your licensing with Google: https://developers.google.com/maps/pricing-and-plans/ Get API key: https://developers.google.com/maps/documentation/javascript/get-api-key 
        "attachmentUploadFilepath" - Folder where attachment files are temporarily created. Can be a UNC in order to support web farms. Ensure the application pool identity has permissions to access it. Leaving empty defaults to the TemporaryFiles folder. 
        "actionCenterDefaultWhenHomeNotSet" - If no subject is set as the default home in the security permissions for a user, and if actionCenterDefaultWhenHomeNotSet is true then the Action Center is the first content shown after login. Optional. Default is true.
        "externalUserMaxLoginAttempts" - The number of times an external user can fail to authenticate before their account is locked. Optional. Default is 3.
        "allowKeepMeSignedIn" - Whether or not users can stay logged in. 'Keep me signed in' will not appear on the login form if this is false. Optional. Default is true.
        "keepMeSignedInDefault" - Boolean value to default "Keep Me Signed In" checkbox on the login page. The default value is false. "Keep Me Signed In" checkbox defaults to this value unless user overrides it by checking or unchecking the checkbox. The user choice is stored in a browser local storage and is used as a default unless the browser local storage is cleared.
        "minimumAutoRefreshInterval" - The fastest possible time, in seconds, that auto refresh can happen for Action Center widgets. Refresh intervals are rounded up to the higher interval option. "0" indicates no minimum other than what the UI imposes. "-1" denotes that auto refresh is disabled.
        "allowUnfilteredGlobalSearch" - If true then users can do a Global Search without entering any search text: all records of the selected tables will be returned. If false then the user must enter at least one character for the search text. Default is true.
        "preloginServerTask" - The name of a server task providing logic during pre-login. Optional. Required if external user login is used. The UX platform calls specific methods in this server task if they are defined in the other login* attributes (below). Usually installing UX User Management sets this attribute, but this logic can be customized by providing a different server task with its own set of methods. Example: "UXUMUserPrelogin"
        "preloginSetPasswordViableMethod" - The name of the method in the server task which will pre-validate set password tokens. This method is called after a set password link is clicked but before the set password form is shown. The method is passed a Dictionary of strings, used as parameters and return values. See the Technical Reference for more information. Example: "SetPasswordViable"
        "preloginSetPasswordValidateMethod" - The name of a method in the server task specified by the loginServerTask attribute. Optional. If specified then it is called to validate a user's new password that they are setting, prior to login (they have been sent an email instructing them to set their password). The method is passed a Dictionary of strings, used as parameters and return values. See the Technical Reference for more information. Example: "CheckPasswordRules"
        "preloginSetPasswordUpdateMethod" - The name of a method in the server task specified by the loginServerTask attribute. Optional. If specified then it is called to update the database with the user's new password (they have been sent an email instructing them to set their password). The method is passed a Dictionary of strings, used as parameters and return values. See the Technical Reference for more information. Example: "ChangeUserPassword"
        "preloginSetPasswordAfterUpdateMethod" - The name of a method in the server task specified by the loginServerTask attribute. Optional. If specified then it is called after the database has been updated with the user's new password (they have been sent an email instructing them to set their password). The method is passed a Dictionary of strings, used as parameters and return values. See the Technical Reference for more information. Example: "AfterPasswordReset"
        "preloginForgotPasswordValidateMethod" - The name of a method in the server task specified by the loginServerTask attribute. Optional. If specified then it is called during "forget password" workflow to validate that the supplied email address matches a UX user. The method is passed a Dictionary of strings, used as parameters and return values. See the Technical Reference for more information. Example: "FindUser"
        "preloginForgotPasswordUpdateMethod" - The name of a method in the server task specified by the loginServerTask attribute. Optional. If specified then it is called during "forget password" workflow to update the database to a state where the user can attempt to set their password after receiving a verification email. The method is passed a Dictionary of strings, used as parameters and return values. See the Technical Reference for more information. Example: "ResetUserPassword"
        "preloginForgotPasswordAfterUpdateMethod" - The name of a method in the server task specified by the loginServerTask attribute. Optional. If specified then it is called during "forget password" workflow to send out the verification email. The method is passed a Dictionary of strings, used as parameters and return values. See the Technical Reference for more information. Usually installing UX User Management sets this attribute, but this logic can be customized by providing a different server task with its own set of methods. Example: "SendResetPasswordEmail"
        "autoShowMenuInWindows" - Whether or not the menu is visible in windows on bigger devices. Default is true.
        "encryptedSettingsKey" - A unique key referencing an EncryptedSettings section element.
        "clientMetaCaching" - Whether or not the client caches metadata in local storage. Options are "on", "off", and "default". Default uses the Disable Caching of Business Model value specified for the system in PAC.
        "selectAllLoadLimitPromptDesktop" - The maximum number of records allowed to be loaded on a desktop in a select-all operation for a grid. Set to 0 for no limit. Default value is 10000.
        "selectAllLoadLimitPromptMobile" - The maximum number of records allowed to be loaded on a mobile device in a select-all operation for a grid. Set to 0 for no limit. Default value is 3000.
        "allowDiagnostics" - Whether or not the diagnostics option is visible to users of this environment. Defaults to false. Do not include in the config unless a value is set.
        "passThroughLoadDataParameterList" - Boolean value which defaults to true - When a Form record is saved and after your transition method AddData() or SaveData() is invoked the UX Server will invoke the LoadData() transition method. If this flag is true LoadData() will receive the same (potentially modified) parameter list from AddData() or SaveData(). If this flag is false LoadData() will be passed a new empty Parameter list.
        "showNavigationText" - String value with values "on", "off" or "automatic". It defaults to "automatic". The values match the "Show navigation text" option in UX Client "Settings" page where user can override this flag. If user sets the flag in the system "Settings" page via UX Client then this flag is ignored. The user choice is stored in a browser local storage and is used as a default unless the browser local storage is cleared.
        Example: <AppConfig idleLogoutTime="60" googleMapsApiLicense="" attachmentUploadFilepath="" actionCenterDefaultWhenHomeNotSet="true" externalUserMaxLoginAttempts="3" allowKeepMeSignedIn="true" keepMeSignedInDefault="false" "minimumAutoRefreshInterval"="0" preloginServerTask="UXUMUserPrelogin" preloginSetPasswordValidateMethod="CheckPasswordRules" preloginSetPasswordUpdateMethod="UpdateUserPassword" preloginSetPasswordAfterUpdateMethod="" preloginForgotPasswordValidateMethod="FindUserByEmail" preloginForgotPasswordUpdateMethod="ResetUserPassword" preloginForgotPasswordAfterUpdateMethod="SendResetPasswordEmail" autoShowMenuInWindows="true" clientMetaCaching="default" selectAllLoadLimitPromptDesktop="10000" selectAllLoadLimitPromptMobile="3000" allowDiagnostics="false" passThroughLoadDataParameterList="true" showNavigationText="automatic"/>
        />
        -->
				<AppConfig idleLogoutTime="60" googleMapsApiLicense="" attachmentUploadFilepath="" actionCenterDefaultWhenHomeNotSet="true" externalUserMaxLoginAttempts="3" allowKeepMeSignedIn="true" keepMeSignedInDefault="false" minimumAutoRefreshInterval="0" allowUnfilteredGlobalSearch="true" preloginServerTask="" preloginSetPasswordViableMethod="" preloginSetPasswordValidateMethod="" preloginSetPasswordUpdateMethod="" preloginSetPasswordAfterUpdateMethod="" preloginForgotPasswordValidateMethod="" preloginForgotPasswordUpdateMethod="" preloginForgotPasswordAfterUpdateMethod="" autoShowMenuInWindows="true" encryptedSettingsKey="" clientMetaCaching="default" selectAllLoadLimitPromptDesktop="10000" selectAllLoadLimitPromptMobile="3000" allowDiagnostics="false" showNavigationText="automatic"/>

				<!-- The Applications section contains <Application> elements defining the application script files or Sencha packages loaded dynamically at runtime. 
        Applications are loaded in the order they are listed.
        
        The following attributes apply to application scripts:
        "name" - A unique identifier for the application. Required.
        "bundling" - "scripts": set of Pivotal UX JavaScript files; "package": Sencha package. Default is "scripts".
        "location" - Partial folder path identifying where the application files exist. Pivotal UX finds the location by traversing backwards from the app URL. Required.
        "initialClass" - The name of the class called while Pivotal UX is initializing. Gives the application a chance to initialize itself before the user can use the UI. Required.
        "initialMethod" - By default, the initializeApplication method is called in the specified initialClass. To change this, specify an initialMethod in the Application element. Not required.
        "usePackageDebugCodebase" - For packages only. "true" or "false". Default is false.
        "minify" - Set to "true" or "false". If true then this will remove at runtime most of the whitespace, comments, and refactor the code to use shorter names where possible. It also reduces the HTTP round trips by loading all the Application code in one request. Default is "true". Turn off minify when debugging.
        "description" - Explain the purpose of the application. Currently not shown anywhere. 

        Example: <Application name="Pcm" bundling="scripts" location="scripts/Pcm" initialClass="Pcm.Application" minify="true" description="Shared application scripts for both PCM and CMS based systems."/>

        -->
				<Applications>
					<Application name="Pcm" bundling="scripts" location="scriptsootb/Pcm" initialClass="Pcm.Application" minify="true" description="Shared application scripts for both PCM and CMS based systems."/>
					<Application name="Sfa" bundling="scripts" location="scriptsootb/Sfa" initialClass="Sfa.Application" minify="true" description="Sales Force Automation client-side business logic."/>
					<Application name="Um" bundling="scripts" location="scriptsootb/Um" initialClass="Um.Application" minify="true" description="UM."/>
				</Applications>

			</PivotalEnvironment>
		</PivotalEnvironments>
	</Systems>


	<!-- EncryptedSettings. Set of PivotalEnvironments settings to encrypt. The encryption is done using the aspnet_regiis encryption tool: https://msdn.microsoft.com/en-us/library/zhhddkxy.aspx. An example is given below.

    The EncryptedSettings section enables encryption of the following elements: PivotalEnvironment, PBSURLAuthentication, DemoUser, OAUTHAuthentication, AppConfig and individual PartnerIdentityProvider within the SingleSignOnProviders section.
    Each of these elements has an additional attribute called "encryptedSettingsKey". This stores the key to access the corresponding EncryptedSettings section element. 

    Make sure each encryptedSettingsKey is unique, and that it corresponds to a key added within <EncryptedSettings>. It must be unique across all PivotalEnvironments. 
    The original attribute value can be set to "" once it has an entry in EncryptedSettings.

    Example:

    Original PBSURLAuthentication element: <PBSURLAuthentication domain="corp" username="prac" password="$R#@F@#" encryptedSettingsKey=""/>

    Modified PBSURLAuthentication element: <PBSURLAuthentication domain="" username="" password="" encryptedSettingsKey="ProdSystemPBSURLAuthentication"/>

    The corresponding EncryptedSettings key:

      <EncryptedSettings>
        <add key="ProdSystemPBSURLAuthentication" value="domain='corp' username='prac' password='$R#@F@#' "/>  
      </EncryptedSettings>

    NOTE: Have to change " to ' for attribute values within the value string.

    Then encrypt from a command window: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis -pef EncryptedSettings "C:\Program Files (x86)\CDC Software\Pivotal CRM\UX Client\www" 
    Note: Change the path if necessary.
    The Web.config will be updated.

    To decrypt back: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis -pdf EncryptedSettings "C:\Program Files (x86)\CDC Software\Pivotal CRM\UX Client\www"

    The syntax of the value is a set of XML attributes. The property names must match those of the original attributes. The values are always strings. Use single quotes around the property names and values because value itself is a string.

    The EncryptedSettings section, its elements and the elements' attributes are all optional. That is, only the attributes requiring encryption need to be present in this section.
    So to just have the password encrypted in the example above:

      <EncryptedSettings>
        <add key="ProdSystemPBSURLAuthentication" value="password='$R#@F@#' "/>
      </EncryptedSettings>
 
	  -->
	<!--<EncryptedSettings>-->
	<!-- Examples. NOTE: Change the key to match your encryptedSettingsKey values and ensure all keys are unique. -->
	<!--<add key="PivotalEnvironmentEncryptedSettingsKey" value="name='' description='' pbsURL='' pivotalSystemName='' "/>-->
	<!--<add key="PBSURLAuthenticationEncryptedSettingsKey" value="domain='prod' username='prac' password='abc' "/>-->
	<!--<add key="DemoUserEncryptedSettingsKey" value="allow='' pivotalUsername='' "/>-->
	<!--<add key="OAUTHAuthenticationEncryptedSettingsKey" value="allowedUserTypes='' defaultWindowsDomain='' "/>-->
	<!--<add key="AppConfigEncryptedSettingsKey" value="idleLogoutTime='' googleMapsApiLicense='' attachmentUploadFilepath='' actionCenterDefaultWhenHomeNotSet='' 
			 externalUserMaxLoginAttempts='' allowKeepMeSignedIn='' minimumAutoRefreshInterval='' allowUnfilteredGlobalSearch='' 
			 preloginServerTask='' preloginSetPasswordValidateMethod='' preloginSetPasswordUpdateMethod=''
			 preloginSetPasswordAfterUpdateMethod='' preloginForgotPasswordValidateMethod='' preloginForgotPasswordUpdateMethod=''
			 preloginForgotPasswordAfterUpdateMethod='' autoShowMenuInWindows='' clientMetaCaching='' "/>-->
	<!--<add key="PartnerIdentityProviderEncryptedSettingsKey" value="name='' issuer='' assertionConsumerUrl='' icon='' color='' partnerCertificatePassword='' -->
	<!--</EncryptedSettings>-->


	<!-- Custom settings for the whole web application, applying to all systems served by this web application. -->
	<appSettings>

		<!-- ************ Global authentication settings ************ -->

		<!-- AuthenticationMode. Determines if Pivotal UX is using Windows, OAuth or Single Sign On authentication. 
    Supported values for AuthenticationMode  | IIS authentication configuration:
                  "OAuth"                    | Your application must have Anonymous Authentication enabled.
                  "Windows"                  | Your application must have Windows Authentication enabled (and only the NTLM provider for iOS/iPad/iPhone support) and Anonymous Authentication disabled.
                  "SamlSso"                  | SAML based Single Sign On - Your application must have Anonymous Authentication enabled.
                  
    NOTE: Authentication mode supports multiple comma-separated values as long as they share IIS authentication mode. For example:
        <add key="AuthenticationMode" value="OAuth, SamlSso" />
        
    NOTE: If you are using Windows authentication then note that iOS only supports the NTLM provider, and not "Negotiate".
    -->   

		<add key="AuthenticationMode" value="SamlSso,oAuth"/>    

		<!-- Whether or not the Credential Manager is able to save user credentials in Internet Explorer and Edge browsers. Enabling this flag adds autoComplete="on" to the User name and Password fields on the login form's HTML. -->
		<add key="LoginCredentialsAutoComplete" value="false"/>

		<!-- ******** Global OAuth authentication settings ********* -->
		<!-- Note: These are only OAuth settings and do not apply to Windows authentication. -->

		<!-- Lifetime of user access to the system, in minutes. After this point the user will be logged out unless there is a longer refresh token lifetime, even if they have not been idle. Must be specified. Must be 1 or more minutes. -->
		<add key="AccessTokenLifetime" value="1440"/>

		<!-- Extended lifetime of user access to the system, in minutes. Can be left blank if access tokens should not be automatically refreshed. If a value is specified then it must be greater than the AccessTokenLifetime. -->
		<add key="RefreshTokenLifetime" value="42000"/>

		<!-- Indicates whether to use rolling refresh tokens to stay logged in. Meaning every refresh access token call issues, a new access token with AccessTokenLifetime and a new refresh token with RefreshTokenLifetime (not remaining time of the RefreshTokenLifetime). 
    In order for RollingRefreshToken to be effective it requires both AccessTokenLifetime and RefreshTokenLifetime set to the right value that ensures the sliding window of refresh token is
    achieved by making AccessTokenLifetime value a fraction of value set for RefreshTokenLifetime. The value of AccessTokenLifetime should be 4-20% of the RefreshTokenLifetime. 
    For example, AccessTokenLifetime="60" and RefreshTokenLifetime="1440". 
    If the RefreshTokenLifetime is too close to AccessTokenLifetime then there is a danger that refresh token expires (e.g. user closes the browser) before the access and refresh token could be renewed. 
    User is logged out if idle based on the AppConfig idleLogoutTime value.
    Default is "false".
    -->
		<add key="RollingRefreshToken" value="false"/>

		<!-- UseOriginalURLForOAuthTokenAPI. This will toggle whether or not the refresh token request to OWIN server uses the original url or http://localhost. The default is false. -->
		<add key="UseOriginalURLForOAuthTokenAPI" value="false"/>

		<!-- Total lifetime of a single sign on session in minutes. This session will not be refreshed, after this amount of time each user will have to re-authenticate with Pivotal. -->
		<add key="SingleSignOnLifetime" value="20160"/>

		<!-- CookieLifetime. The number of minutes a cookie will exist to give access to reports and attachments. Default value is 30 minutes. -->
		<add key="CookieLifetime" value="30"/>

		<!-- "ClientId" - identifier used by the OAUTH access token. -->
		<add key="ClientId" value="PivotalUXClient"/>

		<!-- EnableSamlAssertionLogging. This will toggle whether or not all SAML assertions are logged to the UXServer.log as DEBUG entries. This is recommended as a debugging technique and should not be used in production. -->
		<add key="EnableSamlAssertionLogging" value="true"/>

		<!-- ***************** Global SSL settings ***************** -->

		<!-- AllowInsecureHttp. Pivotal UX Client requires HTTPS communication between the browser and the web site so that all communication, data, credentials, etc. are encrypted.
    In cases such as internal development environments you may want this requirement to be relaxed. 
    HTTPS is required for all production environments and where untrusted networks are used.
    NOTE: If the website is configured to require SSL then this takes precedence. 
    -->
		<add key="AllowInsecureHttp" value="true"/>
		<!-- AutoRedirectToHttps. Unless AllowInsecureHttp="true" then the Pivotal UX URL must be HTTPS. If a user enters an http URL then AutoRedirectToHttps="true" will redirect to the HTTPS equivalent URL.
    If AutoRedirectToHttps="false" then a message is shown to the user that an HTTPS URL must be used.
    NOTE: If redirect is enabled but SSL is not correctly configured then some browsers such as Internet Explorer do not update the URL to show it is trying to redirect to the HTTPS URL. This can be confusing to the user because they just see a message saying the page is not found.
    So as long as SSL is correctly configured then AutoRedirectToHttps="true" can be used.
    -->
		<add key="AutoRedirectToHttps" value="false"/>

		<!-- ************** Global security settings ************** -->
		<!--AllowStackTraceInErrorResponse. This setting will prevent or allow server stack traces to return to the client in HTTP responses. Users will be shown the stack trace details upon exception by clicking "More details" on the error dialog.
    Stack traces are included in the JSON response as the property "ErrorDetails". ErroDetails will always be blank if this setting is false.
     This setting does not affect logging. This setting defaults to false if it is missing or malformed.
    -->
		<add key="AllowStackTraceInErrorResponse" value="false"/>

		<!-- ************* Global attachment settings ************* -->

		<!-- MaxAttachmentUploadsPerUserPerHour. This setting can be used to limit the number of attachments a user may upload within one hour. 
    If this number is exceeded the user will receive a warning to indicate they are attempting to upload too many attachments. 
    A value of zero for this setting will prevent any attachments from being uploaded.
    The default value is 60 if this key is missing or has bad input. -->
		<add key="MaxAttachmentUploadsPerUserPerHour" value="60"/>

		<!-- AttachmentUploadExpiry. Indicates the amount of time, in minutes, that an uploaded attachment can exist in temporary storage before the server automatically deletes it. 
    Attachments exist in temporary storage only until the form or activity that they belong to is saved.
    A value of zero will prevent the server from ever trying to delete old attachments from temporary storage.
    NOTE: A value of zero makes no guarantee that attachments cannot be deleted by the server administrator, only that they will not be automatically cleaned up by the UX server. 
    The default value is 30 if this key is missing or has bad input. -->
		<add key="AttachmentUploadExpiry" value="30"/>

		<!-- Maximum attachment file upload size, in KB. Example: "2048". Leave empty if no maximum is required.
    The size of Activity attachments (e.g. in emails) can be further restricted by changing the "Maximum attachment size" in Security->Global Options in the Toolkit. This value cannot override AttachmentMaxSize.
    Note: maxRequestLength in the system.web section also governs the maximum size of an attachment that can be downloaded and uploaded by being the absolute maximum size for any request or response. -->
		<add key="AttachmentMaxSize" value=""/>

		<!-- Allowed attachment file suffixes. Separate values with semi-colons like this: "gif;txt;bmp". Do not use wildcards. Leave empty if no restriction is required. 
    The types of Activity attachments (e.g. in emails) can be further restricted by changing the "Allowed file types" in Security->Global Options in the Toolkit. This value cannot override AttachmentAllowedFileTypes. -->
		<add key="AttachmentAllowedFileTypes" value=""/>

		<!-- ******************** Permissions ******************** -->

		<!--IgnoreServerTaskPermissions. Whether or not Server Task Permissions are ignored. Server Task permissions are only applied to [TaskExecute] methods and not to form transition methods. 
    -->
		<add key="IgnoreExecuteServerTaskPermissions" value="false"/>

		<!-- *********** Global Address Book Settings *********** -->

		<!-- AddressBookMaxRows. This controls the maximum number of Pivotal address book search results that can be returned.-->
		<add key="AddressBookMaxRows" value="100"/>

		<!-- ****************** Google Maps API ***************** -->

		<!-- "googleMapsApiLicense" - If using Google Maps then the API license key must provided either for each PivotalEnvironment or globally here.
    Determine your licensing with Google: https://developers.google.com/maps/pricing-and-plans/
    Get API key: https://developers.google.com/maps/documentation/javascript/get-api-key 
    -->
		<add key="GoogleMapsApiLicense" value=""/>

		<!-- ******************* REST API Help ******************* -->

		<!--EnableRESTAPIHelp. This setting will allow or prevent generation of the REST API help pages. "false" disables the help pages. "true" enables. 
    Web.config defaults this to false because the product is shipped in a production configuration. Leaving it available in production could be a security risk.
    -->
		<add key="EnableRESTAPIHelp" value="true"/>

	</appSettings>


	<!-- IIS settings for the whole web application -->
	<system.web>
		<compilation debug="false" targetFramework="4.7"/>

		<!-- Change maxRequestLength (KB) to allow bigger attachments to be downloaded and uploaded. 
    The size of Activity attachments (e.g. in emails) can be further restricted by changing the "Maximum attachment size" in Security->Global Options in the Toolkit.
    -->
		<httpRuntime targetFramework="4.7" maxRequestLength="20480" enableVersionHeader="false"/>
		<customErrors mode="Off"/>
	</system.web>


	<!--Logging settings.
  The default configuration is to write to a file called UXServer.log in the Logs sub-folder. Each day the previous log file is renamed with its date.
  -->
	<log4net>
		<appender name="DebugAppender" type="log4net.Appender.DebugAppender">
			<layout type="log4net.Layout.PatternLayout">
				<conversionPattern value="%newline%newlineDate: %date %newlineLogLevel: %level %newlineMessage: %message%newline"/>
			</layout>
		</appender>
		<appender name="RollingFile" type="log4net.Appender.RollingFileAppender">
			<file value="Logs\UXServer.log"/>
			<lockingModel type="log4net.Appender.FileAppender+MinimalLock"/>
			<appendToFile value="true"/>
			<maximumFileSize value="10MB"/>
			<maxSizeRollBackups value="10"/>
			<layout type="log4net.Layout.PatternLayout">
				<conversionPattern value="%newline%newlineDate: %date %newlineLogLevel: %level %newlinesystem: %property{system} %newlineUser: %property{user} %newlineMessage: %message %newline"/>
			</layout>
		</appender>
		<root>
			<!-- Change to "All" to see Debug level too. -->
			<level value="INFO"/>
			<appender-ref ref="DebugAppender"/>
			<appender-ref ref="RollingFile"/>
		</root>
	</log4net>


	<!-- IIS7 settings for the whole web application -->
	<system.webServer>
		<staticContent>
			<!-- Additional MIME types used by Pivotal UX. By default IIS 7.5 and IIS Express do not define these MIME types. -->
			<remove fileExtension=".json"/>
			<mimeMap fileExtension=".json" mimeType="application/json"/>
			<remove fileExtension=".woff"/>
			<mimeMap fileExtension=".woff" mimeType="application/font-woff"/>
			<remove fileExtension=".appcache"/>
			<mimeMap fileExtension=".appcache" mimeType="text/cache-manifest"/>
		</staticContent>
		<httpProtocol>
			<customHeaders>
				<!-- To add few more security headers, please refer the "Enhancing Security" section in the “UXClient_Installation_Configuration_Guide” document.  -->
				<remove name="X-Powered-By"/>
				<remove name="Server"/>
				<remove name="X-Frame-Options"/>
				<remove name="X-XSS-Protection"/>
				<remove name="X-Content-Type-Options"/>
				<remove name="Access-Control-Allow-Methods"/>
				<add name="Server" value="Server"/>
				<add name="X-Frame-Options" value="SAMEORIGIN"/>
				<add name="X-XSS-Protection" value="1; mode=block"/>
				<add name="X-Content-Type-Options" value="nosniff"/>
				<add name="Access-Control-Allow-Methods" value="GET,POST,PUT,DELETE"/>
			</customHeaders>
		</httpProtocol>
		<handlers>
			<remove name="ExtensionlessUrlHandler-Integrated-4.0"/>
			<remove name="OPTIONSVerbHandler"/>
			<remove name="TRACEVerbHandler"/>
			<!-- WebDAV handling must be removed for custom REST APIs to work -->
			<remove name="WebDAV"/>
			<add name="ExtensionlessUrlHandler-Integrated-4.0" path="*." verb="*" type="System.Web.Handlers.TransferRequestHandler" preCondition="integratedMode,runtimeVersionv4.0"/>
		</handlers>
		<modules runAllManagedModulesForAllRequests="true" runManagedModulesForWebDavRequests="true">
			<!-- WebDAV handling must be removed for custom REST APIs to work -->
			<remove name="WebDAVModule"/>
		</modules>
		<caching enabled="true" enableKernelCache="true">
			<profiles>
				<!-- Allow bootstrap.json and other static Sencha files to be refreshed in browsers if they change. -->
				<remove extension=".json"/>
				<add extension=".json" policy="CacheUntilChange" kernelCachePolicy="CacheUntilChange"/>
				<!-- This allows the browser to check for a 304(Not Modified) on all images, fonts and static HTML before it uses the file from cache. -->
				<remove extension=".png"/>
				<add extension=".png" policy="CacheUntilChange" kernelCachePolicy="CacheUntilChange"/>
				<remove extension=".js"/>
				<add extension=".js" policy="CacheUntilChange" kernelCachePolicy="CacheUntilChange"/>
				<remove extension=".css"/>
				<add extension=".css" policy="CacheUntilChange" kernelCachePolicy="CacheUntilChange"/>
				<remove extension=".jpg"/>
				<add extension=".jpg" policy="CacheUntilChange" kernelCachePolicy="CacheUntilChange"/>
				<remove extension=".gif"/>
				<add extension=".gif" policy="CacheUntilChange" kernelCachePolicy="CacheUntilChange"/>
				<remove extension=".woff"/>
				<add extension=".woff" policy="CacheUntilChange" kernelCachePolicy="CacheUntilChange"/>
				<remove extension=".ttf"/>
				<add extension=".ttf" policy="CacheUntilChange" kernelCachePolicy="CacheUntilChange"/>
				<remove extension=".html"/>
				<add extension=".html" policy="CacheUntilChange" kernelCachePolicy="CacheUntilChange"/>
				<remove extension=".htm"/>
				<add extension=".htm" policy="CacheUntilChange" kernelCachePolicy="CacheUntilChange"/>
			</profiles>
		</caching>
		<security>
			<requestFiltering>
				<verbs>
					<add verb="OPTIONS" allowed="false"/>
					<add verb="TRACE" allowed="false"/>
				</verbs>
			</requestFiltering>
		</security>
	</system.webServer>


	<!-- Attachment extension MIME types. Used to support browser's correct display of an attachment. 
  -->
	<AttachmentMimeTypes>
		<add key=".323" value="text/h323"/>
		<add key=".acx" value="application/internet-property-stream"/>
		<add key=".ai" value="application/postscript"/>
		<add key=".aif" value="audio/x-aiff"/>
		<add key=".aifc" value="audio/x-aiff"/>
		<add key=".aiff" value="audio/x-aiff"/>
		<add key=".asf" value="video/x-ms-asf"/>
		<add key=".asr" value="video/x-ms-asf"/>
		<add key=".asx" value="video/x-ms-asf"/>
		<add key=".au" value="audio/basic"/>
		<add key=".avi" value="video/x-msvideo"/>
		<add key=".axs" value="application/olescript"/>
		<add key=".bas" value="text/plain"/>
		<add key=".bcpio" value="application/x-bcpio"/>
		<add key=".bin" value="application/octet-stream"/>
		<add key=".bmp" value="image/bmp"/>
		<add key=".c" value="text/plain"/>
		<add key=".cat" value="application/vnd.ms-pkiseccat"/>
		<add key=".cdf" value="application/x-cdf"/>
		<add key=".cer" value="application/x-x509-ca-cert"/>
		<add key=".class" value="application/octet-stream"/>
		<add key=".clp" value="application/x-msclip"/>
		<add key=".cmx" value="image/x-cmx"/>
		<add key=".cod" value="image/cis-cod"/>
		<add key=".cpio" value="application/x-cpio"/>
		<add key=".crd" value="application/x-mscardfile"/>
		<add key=".crl" value="application/pkix-crl"/>
		<add key=".crt" value="application/x-x509-ca-cert"/>
		<add key=".csh" value="application/x-csh"/>
		<add key=".css" value="text/css"/>
		<add key=".dcr" value="application/x-director"/>
		<add key=".der" value="application/x-x509-ca-cert"/>
		<add key=".dir" value="application/x-director"/>
		<add key=".dll" value="application/x-msdownload"/>
		<add key=".dms" value="application/octet-stream"/>
		<add key=".doc" value="application/msword"/>
		<add key=".docx" value="application/vnd.openxmlformats-officedocument.wordprocessingml.document"/>
		<add key=".dotx" value="application/vnd.openxmlformats-officedocument.wordprocessingml.template"/>
		<add key=".docm" value="application/vnd.ms-word.document.macroEnabled.12"/>
		<add key=".dot" value="application/msword"/>
		<add key=".dotm" value="application/vnd.ms-word.template.macroEnabled.12"/>
		<add key=".dvi" value="application/x-dvi"/>
		<add key=".dxr" value="application/x-director"/>
		<add key=".eps" value="application/postscript"/>
		<add key=".etx" value="text/x-setext"/>
		<add key=".evy" value="application/envoy"/>
		<add key=".exe" value="application/octet-stream"/>
		<add key=".fif" value="application/fractals"/>
		<add key=".flr" value="x-world/x-vrml"/>
		<add key=".gif" value="image/gif"/>
		<add key=".gtar" value="application/x-gtar"/>
		<add key=".gz" value="application/x-gzip"/>
		<add key=".h" value="text/plain"/>
		<add key=".hdf" value="application/x-hdf"/>
		<add key=".hlp" value="application/winhlp"/>
		<add key=".hqx" value="application/mac-binhex40"/>
		<add key=".hta" value="application/hta"/>
		<add key=".htc" value="text/x-component"/>
		<add key=".htm" value="text/html"/>
		<add key=".html" value="text/html"/>
		<add key=".htt" value="text/webviewhtml"/>
		<add key=".ico" value="image/x-icon"/>
		<add key=".ief" value="image/ief"/>
		<add key=".iii" value="application/x-iphone"/>
		<add key=".ins" value="application/x-internet-signup"/>
		<add key=".isp" value="application/x-internet-signup"/>
		<add key=".jfif" value="image/pipeg"/>
		<add key=".jpe" value="image/jpeg"/>
		<add key=".jpeg" value="image/jpeg"/>
		<add key=".jpg" value="image/jpeg"/>
		<add key=".js" value="application/x-javascript"/>
		<add key=".latex" value="application/x-latex"/>
		<add key=".lha" value="application/octet-stream"/>
		<add key=".lsf" value="video/x-la-asf"/>
		<add key=".lsx" value="video/x-la-asf"/>
		<add key=".lzh" value="application/octet-stream"/>
		<add key=".m13" value="application/x-msmediaview"/>
		<add key=".m14" value="application/x-msmediaview"/>
		<add key=".m3u" value="audio/x-mpegurl"/>
		<add key=".man" value="application/x-troff-man"/>
		<add key=".mdb" value="application/x-msaccess"/>
		<add key=".me" value="application/x-troff-me"/>
		<add key=".mht" value="message/rfc822"/>
		<add key=".mhtml" value="message/rfc822"/>
		<add key=".mid" value="audio/mid"/>
		<add key=".mny" value="application/x-msmoney"/>
		<add key=".mov" value="video/quicktime"/>
		<add key=".movie" value="video/x-sgi-movie"/>
		<add key=".mp2" value="video/mpeg"/>
		<add key=".mp3" value="audio/mpeg"/>
		<add key=".mpa" value="video/mpeg"/>
		<add key=".mpe" value="video/mpeg"/>
		<add key=".mpeg" value="video/mpeg"/>
		<add key=".mpg" value="video/mpeg"/>
		<add key=".mpp" value="application/vnd.ms-project"/>
		<add key=".mpv2" value="video/mpeg"/>
		<add key=".ms" value="application/x-troff-ms"/>
		<add key=".mvb" value="application/x-msmediaview"/>
		<add key=".nws" value="message/rfc822"/>
		<add key=".oda" value="application/oda"/>
		<add key=".p10" value="application/pkcs10"/>
		<add key=".p12" value="application/x-pkcs12"/>
		<add key=".p7b" value="application/x-pkcs7-certificates"/>
		<add key=".p7c" value="application/x-pkcs7-mime"/>
		<add key=".p7m" value="application/x-pkcs7-mime"/>
		<add key=".p7r" value="application/x-pkcs7-certreqresp"/>
		<add key=".p7s" value="application/x-pkcs7-signature"/>
		<add key=".pbm" value="image/x-portable-bitmap"/>
		<add key=".pdf" value="application/pdf"/>
		<add key=".pfx" value="application/x-pkcs12"/>
		<add key=".pgm" value="image/x-portable-graymap"/>
		<add key=".pko" value="application/ynd.ms-pkipko"/>
		<add key=".pma" value="application/x-perfmon"/>
		<add key=".pmc" value="application/x-perfmon"/>
		<add key=".pml" value="application/x-perfmon"/>
		<add key=".pmr" value="application/x-perfmon"/>
		<add key=".pmw" value="application/x-perfmon"/>
		<add key=".pnm" value="image/x-portable-anymap"/>
		<add key=".pot," value="application/vnd.ms-powerpoint"/>
		<add key=".ppa" value="application/vnd.ms-powerpoint"/>
		<add key=".ppm" value="image/x-portable-pixmap"/>
		<add key=".pps" value="application/vnd.ms-powerpoint"/>
		<add key=".ppt" value="application/vnd.ms-powerpoint"/>
		<add key=".pptx" value="application/vnd.openxmlformats-officedocument.presentationml.presentation"/>
		<add key=".potx" value="application/vnd.openxmlformats-officedocument.presentationml.template"/>
		<add key=".ppsx" value="application/vnd.openxmlformats-officedocument.presentationml.slideshow"/>
		<add key=".ppam" value="application/vnd.ms-powerpoint.addin.macroEnabled.12"/>
		<add key=".pptm" value="application/vnd.ms-powerpoint.presentation.macroEnabled.12"/>
		<add key=".potm" value="application/vnd.ms-powerpoint.template.macroEnabled.12"/>
		<add key=".ppsm" value="application/vnd.ms-powerpoint.slideshow.macroEnabled.12"/>
		<add key=".prf" value="application/pics-rules"/>
		<add key=".ps" value="application/postscript"/>
		<add key=".pub" value="application/x-mspublisher"/>
		<add key=".qt" value="video/quicktime"/>
		<add key=".ra" value="audio/x-pn-realaudio"/>
		<add key=".ram" value="audio/x-pn-realaudio"/>
		<add key=".ras" value="image/x-cmu-raster"/>
		<add key=".rgb" value="image/x-rgb"/>
		<add key=".rmi" value="audio/mid"/>
		<add key=".roff" value="application/x-troff"/>
		<add key=".rtf" value="application/rtf"/>
		<add key=".rtx" value="text/richtext"/>
		<add key=".scd" value="application/x-msschedule"/>
		<add key=".sct" value="text/scriptlet"/>
		<add key=".setpay" value="application/set-payment-initiation"/>
		<add key=".setreg" value="application/set-registration-initiation"/>
		<add key=".sh" value="application/x-sh"/>
		<add key=".shar" value="application/x-shar"/>
		<add key=".sit" value="application/x-stuffit"/>
		<add key=".snd" value="audio/basic"/>
		<add key=".spc" value="application/x-pkcs7-certificates"/>
		<add key=".spl" value="application/futuresplash"/>
		<add key=".src" value="application/x-wais-source"/>
		<add key=".sst" value="application/vnd.ms-pkicertstore"/>
		<add key=".stl" value="application/vnd.ms-pkistl"/>
		<add key=".stm" value="text/html"/>
		<add key=".sv4cpio" value="application/x-sv4cpio"/>
		<add key=".sv4crc" value="application/x-sv4crc"/>
		<add key=".t" value="application/x-troff"/>
		<add key=".tar" value="application/x-tar"/>
		<add key=".tcl" value="application/x-tcl"/>
		<add key=".tex" value="application/x-tex"/>
		<add key=".texi" value="application/x-texinfo"/>
		<add key=".texinfo" value="application/x-texinfo"/>
		<add key=".tgz" value="application/x-compressed"/>
		<add key=".tif" value="image/tiff"/>
		<add key=".tiff" value="image/tiff"/>
		<add key=".tr" value="application/x-troff"/>
		<add key=".trm" value="application/x-msterminal"/>
		<add key=".tsv" value="text/tab-separated-values"/>
		<add key=".txt" value="text/plain"/>
		<add key=".uls" value="text/iuls"/>
		<add key=".ustar" value="application/x-ustar"/>
		<add key=".vcf" value="text/x-vcard"/>
		<add key=".vrml" value="x-world/x-vrml"/>
		<add key=".wav" value="audio/x-wav"/>
		<add key=".wcm" value="application/vnd.ms-works"/>
		<add key=".wdb" value="application/vnd.ms-works"/>
		<add key=".wks" value="application/vnd.ms-works"/>
		<add key=".wma" value="audio/x-wma"/>
		<add key=".wmf" value="application/x-msmetafile"/>
		<add key=".wps" value="application/vnd.ms-works"/>
		<add key=".wri" value="application/x-mswrite"/>
		<add key=".wrl" value="x-world/x-vrml"/>
		<add key=".wrz" value="x-world/x-vrml"/>
		<add key=".xaf" value="x-world/x-vrml"/>
		<add key=".xbm" value="image/x-xbitmap"/>
		<add key=".xla" value="application/vnd.ms-excel"/>
		<add key=".xlc" value="application/vnd.ms-excel"/>
		<add key=".xlm" value="application/vnd.ms-excel"/>
		<add key=".xls" value="application/vnd.ms-excel"/>
		<add key=".xlam" value="application/vnd.ms-excel.addin.macroEnabled.12"/>
		<add key=".xlsb" value="application/vnd.ms-excel.sheet.binary.macroEnabled.12"/>
		<add key=".xlsm" value="application/vnd.ms-excel.sheet.macroEnabled.12"/>
		<add key=".xlsx" value="application/vnd.openxmlformats-officedocument.spreadsheetml.sheet"/>
		<add key=".xlt" value="application/vnd.ms-excel"/>
		<add key=".xltm" value="application/vnd.ms-excel.template.macroEnabled.12"/>
		<add key=".xltx" value="application/vnd.openxmlformats-officedocument.spreadsheetml.template"/>
		<add key=".xlw" value="application/vnd.ms-excel"/>
		<add key=".xof" value="x-world/x-vrml"/>
		<add key=".xpm" value="image/x-xpixmap"/>
		<add key=".xwd" value="image/x-xwindowdump"/>
		<add key=".z" value="application/x-compress"/>
		<add key=".zip" value="application/zip"/>
	</AttachmentMimeTypes>


	<!-- Permitted HTML tags allowed in email, appointment and task messages.
  This is enforced to prevent cross-site scripting attacks.
  -->
	<HTMLWhiteList>
		<Tags>
			<Tag name="a" attribute="href"/>
			<Tag name="font" attribute="color;face;size;style"/>
			<Tag name="ul" attribute="style;type"/>
			<Tag name="ol" attribute="style;type"/>
			<Tag name="li" attribute="style;type"/>
			<Tag name="span" attribute="style"/>
			<Tag name="b" attribute="style"/>
			<Tag name="i" attribute="style"/>
			<Tag name="u" attribute="style"/>
			<Tag name="br"/>
			<Tag name="p" attribute="style"/>
			<Tag name="div" attribute="style"/>
		</Tags>
	</HTMLWhiteList>

	<!-- Defines all single sign on identity providers available to this UX server
  -->
	<SingleSignOnProviders>
		<SAML>
			<!-- PartnerIdentityProvider. Defines one IdP and must reference a PartnerIdentityProvider defined in the saml.config file.
        "name" - This must exactly match the name property from saml.config.	
        "issuer" - The value for issuer must be the same as the value your identity provider uses as the relying party trust identifier. The relying party trust identifier identifies the UX Server as a trusted party or service provider.
        "assertionConsumerUrl" - This is also the value which is provided to your identity provider as the Assertion Consumer endpoint or ACS Url. This is the URL which will receive the SAML assertions from the identity provider. It should point to index.aspx at the UX Client URL.
        "icon" - The icon is displayed on the sign in button alongside the description. Any fontawesome icon is valid: http://fontawesome.io/icons/
        "color" - The color of the sign in button for this IdP. Hex and plain text values are acceptable (e.g. "green" or "#009900". If this value is left blank it will default to the same blue as the other buttons on the login form. Text and icon colors cannot be changed at this time.
        "partnerCertificatePassword" - The password for the saml.config defined PartnerCertificateFile. NOTE: If this password is not defined then SignAuthnRequest in saml.config must be false. Outgoing requests cannot be signed without access to the certificates's private key,
        "encryptedSettingsKey" - A unique key referencing an EncryptedSettings section element.
        
      Examples:
        
      <PartnerIdentityProvider name="http://adfs.server/adfs/services/trust" 
                               issuer="urn:pivotalux:test"
                               assertionConsumerUrl="https://pivotalUxServer/pivotalux/index.aspx" 
                               icon="fa-windows" 
                               color="#009900"
                               partnerCertificatePassword="password" 
                               encryptedSettingsKey="" />
      
      <PartnerIdentityProvider name="https://accounts.google.com/o/saml2?idpid=" 
                               issuer="https://accounts.google.com/o/saml2?idpid=" 
                               assertionConsumerUrl="https://pivotalUxServer/pivotalux/index.aspx#pivotalEnvironmentName:GoogleSSO" 
                               icon="fa-google" 
                               color=""
                               partnerCertificatePassword=""
                               encryptedSettingsKey="" />

      <PartnerIdentityProvider name="urn:yourdomain.auth0.com"
                               issuer="urn:yourdomain.auth0.com"
                               assertionConsumerUrl="https://pivotalUxServer/pivotalux/index.aspx"
                               icon=""
                               color="#e38c33"
                               partnerCertificatePassword="" /> -->
			<PartnerIdentityProvider name="https://sts.windows.net/1aae25ce-51f0-4c30-bb6b-a76368c89cde/"
                               issuer="urn:Avolin:pivotal:authentication2"
                               assertionConsumerUrl="https://avolintest.paax.com.co/pivotalux/index.aspx"
                               icon="fa-windows"
                               color="#009900"
                               partnerCertificatePassword="" />					   


		</SAML>
	</SingleSignOnProviders>

	<runtime>
		<assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">
			<dependentAssembly>
				<assemblyIdentity name="System.Web.Http" publicKeyToken="31bf3856ad364e35" culture="neutral"/>
				<bindingRedirect oldVersion="0.0.0.0-5.1.0.0" newVersion="5.1.0.0"/>
			</dependentAssembly>
			<dependentAssembly>
				<assemblyIdentity name="System.Net.Http.Formatting" publicKeyToken="31bf3856ad364e35" culture="neutral"/>
				<bindingRedirect oldVersion="0.0.0.0-5.1.0.0" newVersion="5.1.0.0"/>
			</dependentAssembly>
			<dependentAssembly>
				<assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral"/>
				<bindingRedirect oldVersion="0.0.0.0-6.0.0.0" newVersion="6.0.0.0"/>
			</dependentAssembly>
			<dependentAssembly>
				<assemblyIdentity name="Microsoft.Owin" publicKeyToken="31bf3856ad364e35" culture="neutral"/>
				<bindingRedirect oldVersion="0.0.0.0-2.1.0.0" newVersion="2.1.0.0"/>
			</dependentAssembly>
			<dependentAssembly>
				<assemblyIdentity name="System.Web.Helpers" publicKeyToken="31bf3856ad364e35"/>
				<bindingRedirect oldVersion="1.0.0.0-3.0.0.0" newVersion="3.0.0.0"/>
			</dependentAssembly>
			<dependentAssembly>
				<assemblyIdentity name="System.Web.WebPages" publicKeyToken="31bf3856ad364e35"/>
				<bindingRedirect oldVersion="1.0.0.0-3.0.0.0" newVersion="3.0.0.0"/>
			</dependentAssembly>
			<dependentAssembly>
				<assemblyIdentity name="System.Web.Mvc" publicKeyToken="31bf3856ad364e35"/>
				<bindingRedirect oldVersion="1.0.0.0-5.2.0.0" newVersion="5.2.0.0"/>
			</dependentAssembly>
		</assemblyBinding>
	</runtime>
</configuration>