A combination of URLs grouped into a single application The name of the application If true, this application will proxy to a remote application. If false, this application will be treated as an identity provider The number of milliseconds an authorization rule is valid before it needs to be re-evaluated Defines a URL that combines filters, policies, authentication and results based on an HTTP URL If true, the url for this URL is interpreted as a regular expression The name of the authentication chain to associate with this URL If set to true, the request sent to the application will have its HOST header replaced with the host of the down stream application If set to true, then the Referer header will have its host replaced with the host of the down stream application A domain name or IP The path of the URL to match this URL configuration to Name/Value pair Name of the parameter Value of the parameter Provides configuration for a filter configured on a URL. Any param with the same name but multiple values will be a multi value attribute inside of OpenUnison The class name of the filter, must implement com.tremolosecurity.proxy.filter.HttpFilter Configure a list of HttpFilter objects that will be executed on this URL on each request The full URL of the down stream application. MUST contain at least one parameter in a ${} with the default parameter being fullURI. As an example: http://host:port${fullURI} List of URLs that make an application The base configuration type for Unison Path to myvd.conf, should start with "WEB-INF/" Path to the keystore, should start with "WEB-INF/" Password for the keystore and all keys If set, determines the root dn of the virtual directory. Defaults to o=Tremolo If set, determines the objectClass for groups in the virtual directory. Defaults to groupOfUniqueNames If set, determines the name of the group attribute that stores members. Defaults to uniqueMember If set, determines the objectClass to use for users. Defaults to inetOrgPerson. Determines the number of threads per route per session. Defaults to 6 (based on Chrome). For best performance, should be equal to whichever browser being used most. Implementation of com.tremolosecurity.proxy.HttpUpgradeRequestManager List of all applications configured on this Unison instance Redirect the user to an error page If 0, this is a "catch all" URL to redirect to Name of the cookie for open sessions Number of seconds open sessions should be allowed until it times out If true, requires SSL connections If true, adds the HttpOnly If true, adds the HSTS headers The number of seconds the HSTS header should be available Provides a common configuration type The URI on Unison that will host the mechanism. Must start with "/auth/" Implementation of com.tremolosecurity.proxy.auth.AuthMecahnism Name of the mechanism Deprecated, do not use List of authentication mechanisms for this chain Implementation of an authentication mechanism for this chain The name of the authentication mechanism being implemented Determines if the mechanism is required or simply sufficient. Sufficient mechanisms are skipped if the required mechanisms are successfully completed. List of name value pairs for the authentication mechanism. The same parameter may be listed multiple times to provide multiple values Configuration of a chain of authentication mechanisms The name of the authentication chain The level this authentication chain will be required to have. If a user has a lower level, this will trigger Unison to re-authenticate the user If set to true, stop processing if all required mechanisms are completed The directory root in the internal virtual directory to look up users. Should end in o=Tremolo List of authentication chains A result to an event Form the result will take Adds a header to the request, only available on authorization events Sends a cookie to the user's browser based on the cookie configuration for the application this result is defined on Sends a 302 redirect to the user's browser Where the data for the result will come from A hard coded value An attribute from the user object Implementation of the com.tremolosecurity.proxy.rusults.CustomResult The data for the result, based on the source List of results that are executed in response to an event Name of the result group List of events and associated results The result to execute when a user successfully authenticates The result to execute when a user fails their authentication The result to execute when a user is successfully authorized The result to execute when the user is not authorized List of result groups Defines an authorization rule Defines what will be considered for authorization An LDAP filter that is evaluated on the current user An LDAP static group (groupOfUniqueNames) that a user must be a member of A root DN that the user must be a child object of in the virtual directory. For instance o=Tremolo would authenticate all users The DN of an LDAP dynamic group (groupOfURLs) Not yet implemented The value of the rule, for instance the DN of the group or the LDAP filter Not yet implemented List of the authorization rules Configuration for an application's cookies Name of the cookie Domain of the cookie Not implemented The URL path to interpret as a logout and to clear the user's session The name of the SecretKey in your keystore used to encrypt the session Not implemented If true, the cookie will have the HttpsOnly flag set Lenth, in seconds, until the session will timeout from inactivity If true, the HttpOnly flag will be added to the cookie so its not available to javascript A provisioning target is a resource that can be used to write user data from a workflow Name of the target Implementation of com.tremolosecurity.provisioning.core.ProvisioningTarget Mapping from Unison to the provisioning target Name of the attribute in the target system The value of the attribute, based on the sourceType Defines how the attribute value is set A simple string of text The attribute will come from a user attribute Implementation of com.tremolosecurity.provisioning.mapping.CustomMapping The types of the attribute in the provisioning target List of provisioning targets Top level provisioning configuration Individual workflow task List of workflow tasks Individual workflow task that can choose between two paths (success and fail) Workflow task for provisioning an account to a target type, may not have children List of attributes to be examined in this step, omit or leave the list empty to allow all of the attributes specified in the target configuration If set to true, then the target object will be made to exactly match the Unison user object including deleting non existent attributes. If false then only new values are sent. The name of the provisioning target to execute against If set to true, the task will attempt to set the object's password on the remote target If true, then the provisioning task will ignore any attributes that are listed in the target configuration but NOT explicitly added to the user object in the workflow A workflow is a series of tasks and decisions to update downstream identity stores Name of the workflow A human readable name A description of the workflow If set to true, then this workflow will be listed by the provisioning web services The UUID of the organization this workflow must be listed under List of workflows Task to determine if a user exists in a given target, may have children The name of the provisioning target to check The name of the attribute to identify the user Provides a mapping of the Unison user object. This task creates a copy of the object for all children of this task Name of the attribute to map to The source of the attribute, based on the sourceType Defines how the mapping will occur Set the attribute to a static string Set the attribute from an attribute on the user Implementation of com.tremolosecurity.provisioning.mapping.CustomMapping A string combined with user attributes enclosed in ${}. For instance to combine a givenName and sn use "${givenName} ${sn}" Collection of mappings Adds a group to the user object The name of the group to add If true, removes the group Determines if the workflow should reload the Unison user object after the workflow is executed. This is useful for Unison policies that rely on the outcome of the workflow If set to true, any attributes from an external source (such as an assertion) will be maintained even if they are not present on the user's object in the virtual directory This task will execute subtasks if the named attribute has the specified value Name of the attribute to check The value to check for This task will run subtasks if the named attribute exists on the user Name of the attribute to look for Adds an attribute to the user's object Name of the attribute to add Value of the attribute If true and the value is empty, remove the entire attribute; if true and the value is set, remove only that value of the attribute If true then the attribute is added to the workflow's request object intead of its user object List of target configuration options Provides a mapping of the user based on the map element If set to true, only attributes excplicitly named in this mapping will be available to subtasks Defines an identity provider for a URL Implementation of com.tremolosecurity.idp.server.IdentityProvider List of identity providers on this URL Defines a trust relationship between the identity provider and relying party Name of the trust Define a list of trusts Define a mapping from the user's object into an assertion If true, only map attributes explicitly defined into the assertion Defines an approval step that must be completed before executing sub tasks A template for emails to be sent to approvers. Attributes from the approver may be added using ${}, ie to add the givenName ${givenName} The attribute on the user to find their email address Subject of the email to be sent to the requestor if the approval request is rejected A template for emails to be sent to users after a failure. Attributes from the approver may be added using ${}, ie to add the givenName ${givenName} Label for this approval in reports Defines the database used to track requests and approvals JDBC Driver JDBC URL User for connecting to the database Password for connecting to the database Maximum number of connections Maximum idle connections User attribute that identifies the user (ie uid) List of approver attributes to be tracked in the database. A field for each attribute should be added to the approvers table. List of user attributes to be tracked in the database. A field for each attribute should be added to the users table. If true, the approval database will be used to log all provisioning transactions SMTP host for sending emails SMTP Port for sending emails User for the SMTP server Password for connecting to the SMTP server Subject for notifications Address to use in the From field Use TLS for connecting to the SMTP server Name of the key in the keystore for encrypting workflows in the database If set to true, Unison will use a SOCKS proxy If using a SOCKS proxy, the host If using a SOCKS proxy, the port If using a SOCKS proxy, the localhost name to send List of attributes whos values are NOT to be recorderd in the database A query that can validate the connection is active, ie "SELECT 1" The hibernate dialect to use Additional properties to pass into hibernate The mapping file (.hbx.xml) to use if the default mapping doesn't work, must be in the classpath If true, create tables. After initial configuration, you may want to disable this depending on the dialect. Task to call an existing workflow Name of the workflow being called Notify the subject of a workflow Message to be sent, include user's attributes by enclosing them in ${}. For instance to include givenName, ${givenName} The subject line of the email The attribute containing the user's email address If specified, used as the content type of the email Call a custom workflow task Implementation of com.tremolosecurity.provisioning.util.CustomTask Delete the user from the target The name of the provisioning target to delete the user from Top level element for an application Top level element for a workflow An organization can be used to organize workflows and portal links Child organizations List of optional authorization rules associated with this orgnaization Name of the organization Description of the orgnaization A unique UUID used to identify this orgnaization If true, shown on the portal screen in scalejs If true, shown on the request access screen in scalejs If true, shown on the reports screen in scalejs Configuration of how Unison will utilize a JMS Queue If true, Unison will use an embedded verison of ActiveMQ Number of producer threads Class name for the JMS connection factory Maximum number of consumer threads Name of the queue for storing Unison tasks Name of the queue to store emails in Name of the encryption key for encrypting messages send to the queue Number of task queues If true, multiple queues can be used for tasks A portal URL can be to any resource Authorization rule for if a user should be shown a link Label for the URL The URL for the remote resource Name of the URL The UUID of the organization to place this URL in Base64 encoded PNG file that will be displayed to the user A list of URLs that can be displayed to a user in Scale or other identity portal Unison uses an internal scheduler to be able to perform jobs at specific times If set to true, Unison will use the Quartz database provider. This will make sure that in a cluster, a job is only executed once Number of threads the scheduler should use, minimum of 3 Label for this cluster The start of the IP to use to identify this server in the cluster Database configuration for connecting to the scheduler database Delegate Class name from Quartz JDBC Driver JDBC URL Database user Database password Maximum connections to the database Query to validate connections are still active Configuration for a scheduled job Implementation of of the abstract class com.tremolosecurity.provisioning.scheduler.UnisonJob Name of the job Group name for the job Jobs are scheduled using Cron syntax Which seconds to run on Which minutes to run on Which hours to run on Which days of the month to run on Which months to run on Which days of the week to run on Which years to run on List of message listeners Listens on the queu for messages Implements com.tremolosecurity.provisioning.core.UnisonMesageListener abstract class The name of the queue to listen on Defines a set of reports that are available to run List of possible parameters that can be provided to the SQL statement. Each parameter must be named in the order they appear in the SQL. A SQL statement that drives the report List of fields from the SQL statement that will be lsited before the data set List of fields from the SQL statement that will be included in the dataset The id of the organization to place this report in The name of this report Descriptive text about the report The name of the column to break up the dataset by, only used if groupings is true Set to true if a report should be breoken up into multiple data sets based on a grouping List of reports, optional If an approval is not acted on in a certain amount of time, an escalation can be used to re-assign the approval The ammount of time since the approval or previous escalation was executed until this escalation rule should be enabled. Implementation of com.tremolosecurity.proxy.az.VerifyEscalation, used to determine if an escalation that should execute because of time should execute based on additional logic. Determine the number of units executeAftertime is in Provides an optional escalation policy for an approval Determines what should happen when an approval has no approvers Determines what should happen when no approvers are available. If "assign" then the approval is assigned to the azRules section. If "leave" then the approval is left alone. Defines a custom authorization that can provide approvers to an approval or determine if a subject has access to a requested resource A label for the authorization rule Class name of the class that implements com.tremolosecurity.proxy.az.CustomAuthorization List of custom authorization implementations Optional element used to configure a workflow as dynamic Parameter used to initialize the dynamic workflow generator If set to true, the workflow is dynamic Implementation of com.tremolosecurity.provisioning.util.DynamicWorkflow Configuration for making sure brute force attacks can't be used If true, enable lockout compliance Maximum attempts before locking a user out The amount of time in milliseconds that a user must be locked out before allowing logins Attribute used to store the number of failed attempts Attribute that stores the time stamp of the last failed attempt at authentication as the milliseconds since EPOCH Attribute that stores the last successful authentication as the milliseconds since EPOCH The workflow used to update the attributes Attribute used to identify the user in the workflow