A combination of URLs grouped into a single
application
The name of the application
If true, this application will proxy to a remote
application. If false, this application will be treated as an
identity provider
The number of milliseconds an authorization rule is
valid before it needs to be re-evaluated
Defines a URL that combines filters, policies,
authentication and results based on an HTTP URL
If true, the url for this URL is interpreted as a
regular expression
The name of the authentication chain to associate
with this URL
If set to true, the request sent to the application
will have its HOST header replaced with the host of the down stream
application
If set to true, then the Referer header will have its
host replaced with the host of the down stream application
A domain name or IP
The path of the URL to match this URL configuration to
Name/Value pair
Name of the parameter
Value of the parameter
Provides configuration for a filter configured on a
URL. Any param with the same name but multiple values will be a
multi value attribute inside of OpenUnison
The class name of the filter, must implement
com.tremolosecurity.proxy.filter.HttpFilter
Configure a list of HttpFilter objects that will be
executed on this URL on each request
The full URL of the down stream application. MUST
contain at least one parameter in a ${} with the default parameter
being fullURI. As an example: http://host:port${fullURI}
List of URLs that make an application
The base configuration type for Unison
Path to myvd.conf, should start with "WEB-INF/"
Path to the keystore, should start with
"WEB-INF/"
Password for the keystore and all keys
If set, determines the root dn of the virtual directory. Defaults to o=Tremolo
If set, determines the objectClass for groups in the virtual directory. Defaults to groupOfUniqueNames
If set, determines the name of the group attribute that stores members. Defaults to uniqueMember
If set, determines the objectClass to use for users. Defaults to inetOrgPerson.
Determines the number of threads per route per session. Defaults to 6 (based on Chrome). For best performance, should be equal to whichever browser being used most.
Implementation of com.tremolosecurity.proxy.HttpUpgradeRequestManager
List of all applications configured on this Unison
instance
Redirect the user to an error page
If 0, this is a "catch all"
URL to redirect to
Name of the cookie for open sessions
Number of seconds open sessions should be allowed
until it times out
If true, requires SSL connections
If true, adds the HttpOnly
If true, adds the HSTS headers
The number of seconds the HSTS header should be available
Provides a common configuration type
The URI on Unison that will host the mechanism. Must
start with "/auth/"
Implementation of
com.tremolosecurity.proxy.auth.AuthMecahnism
Name of the mechanism
Deprecated, do not use
List of authentication mechanisms for this chain
Implementation of an authentication mechanism for this
chain
The name of the authentication mechanism being
implemented
Determines if the mechanism is required or simply
sufficient. Sufficient mechanisms are skipped if the required
mechanisms are successfully completed.
List of name value pairs for the authentication
mechanism. The same parameter may be listed multiple times to
provide multiple values
Configuration of a chain of authentication mechanisms
The name of the authentication chain
The level this authentication chain will be required
to have. If a user has a lower level, this will trigger Unison to
re-authenticate the user
If set to true, stop processing if all required
mechanisms are completed
The directory root in the internal virtual directory
to look up users. Should end in o=Tremolo
List of authentication chains
A result to an event
Form the result will take
Adds a header to the request, only available on
authorization events
Sends a cookie to the user's browser based on the
cookie configuration for the application this result is defined
on
Sends a 302 redirect to the user's browser
Where the data for the result will come from
A hard coded value
An attribute from the user object
Implementation of the
com.tremolosecurity.proxy.rusults.CustomResult
The data for the result, based on the source
List of results that are executed in response to an
event
Name of the result group
List of events and associated results
The result to execute when a user successfully
authenticates
The result to execute when a user fails their
authentication
The result to execute when a user is successfully
authorized
The result to execute when the user is not
authorized
List of result groups
Defines an authorization rule
Defines what will be considered for authorization
An LDAP filter that is evaluated on the current
user
An LDAP static group (groupOfUniqueNames) that a
user must be a member of
A root DN that the user must be a child object of
in the virtual directory. For instance o=Tremolo would
authenticate all users
The DN of an LDAP dynamic group (groupOfURLs)
Not yet implemented
The value of the rule, for instance the DN of the
group or the LDAP filter
Not yet implemented
List of the authorization rules
Configuration for an application's cookies
Name of the cookie
Domain of the cookie
Not implemented
The URL path to interpret as a logout and to clear
the user's session
The name of the SecretKey in your keystore used to
encrypt the session
Not implemented
If true, the cookie will have the HttpsOnly flag set
Lenth, in seconds, until the session will timeout
from inactivity
If true, the HttpOnly flag will be added to the cookie so its not available to javascript
A provisioning target is a resource that can be used
to write user data from a workflow
Name of the target
Implementation of
com.tremolosecurity.provisioning.core.ProvisioningTarget
Mapping from Unison to the provisioning target
Name of the attribute in the target system
The value of the attribute, based on the sourceType
Defines how the attribute value is set
A simple string of text
The attribute will come from a user
attribute
Implementation of
com.tremolosecurity.provisioning.mapping.CustomMapping
The types of the attribute in the provisioning target
List of provisioning targets
Top level provisioning configuration
Individual workflow task
List of workflow tasks
Individual workflow task that can choose between two
paths (success and fail)
Workflow task for provisioning an account to a target
type, may not have children
List of attributes to be examined in this step, omit or leave the list empty to allow all of the attributes specified in the target configuration
If set to true, then the target object will
be made to exactly match the Unison user
object including deleting non existent
attributes. If false then only new values
are sent.
The name of the provisioning target to
execute against
If set to true, the task will attempt to set
the object's password on the remote target
If true, then the provisioning task will ignore any attributes that are listed in the target configuration but NOT explicitly added to the user object in the workflow
A workflow is a series of tasks and decisions to
update downstream identity stores
Name of the workflow
A human readable name
A description of the workflow
If set to true, then this workflow will be listed by
the provisioning web services
The UUID of the organization this workflow must be
listed under
List of workflows
Task to determine if a user exists in a given target,
may have children
The name of the provisioning target to check
The name of the attribute to identify the user
Provides a mapping of the Unison user object. This
task creates a copy of the object for all children of this task
Name of the attribute to map to
The source of the attribute, based on the sourceType
Defines how the mapping will occur
Set the attribute to a static string
Set the attribute from an attribute on the user
Implementation of
com.tremolosecurity.provisioning.mapping.CustomMapping
A string combined with user attributes enclosed in
${}. For instance to combine a givenName and sn use
"${givenName} ${sn}"
Collection of mappings
Adds a group to the user object
The name of the group to add
If true, removes the group
Determines if the workflow should reload the Unison user
object after the workflow is executed. This is useful
for Unison policies that rely on the outcome of the
workflow
If set to true, any attributes from an
external source (such as an assertion) will
be maintained even if they are not present
on the user's object in the virtual
directory
This task will execute subtasks if the named attribute
has the specified value
Name of the attribute to check
The value to check for
This task will run subtasks if the named attribute
exists on the user
Name of the attribute to look for
Adds an attribute to the user's object
Name of the attribute to add
Value of the attribute
If true and the value is empty, remove the
entire attribute; if true and the value is
set, remove only that value of the attribute
If true then the attribute is added to the workflow's request object intead of its user object
List of target configuration options
Provides a mapping of the user based on the map
element
If set to true, only attributes excplicitly named
in this mapping will be available to subtasks
Defines an identity provider for a URL
Implementation of
com.tremolosecurity.idp.server.IdentityProvider
List of identity providers on this URL
Defines a trust relationship between the identity
provider and relying party
Name of the trust
Define a list of trusts
Define a mapping from the user's object into an
assertion
If true, only map attributes explicitly defined into
the assertion
Defines an approval step that must be completed before
executing sub tasks
A template for emails to be sent to
approvers. Attributes from the approver
may be added using ${}, ie to add the
givenName ${givenName}
The attribute on the user to find their
email address
Subject of the email to be sent to the
requestor if the approval request is
rejected
A template for emails to be sent to
users after a failure. Attributes from
the approver may be added using ${}, ie
to add the givenName ${givenName}
Label for this approval in reports
Defines the database used to track requests and
approvals
JDBC Driver
JDBC URL
User for connecting to the database
Password for connecting to the database
Maximum number of connections
Maximum idle connections
User attribute that identifies the user (ie uid)
List of approver attributes to be tracked in the
database. A field for each attribute should be
added to the approvers table.
List of user attributes to be tracked in the
database. A field for each attribute should be
added to the users table.
If true, the approval database will be used to
log all provisioning transactions
SMTP host for sending emails
SMTP Port for sending emails
User for the SMTP server
Password for connecting to the SMTP server
Subject for notifications
Address to use in the From field
Use TLS for connecting to the SMTP server
Name of the key in the keystore for encrypting
workflows in the database
If set to true, Unison will use a SOCKS proxy
If using a SOCKS proxy, the host
If using a SOCKS proxy, the port
If using a SOCKS proxy, the localhost name to
send
List of attributes whos values are NOT to be
recorderd in the database
A query that can validate the connection is active, ie "SELECT 1"
The hibernate dialect to use
Additional properties to pass into hibernate
The mapping file (.hbx.xml) to use if the default mapping doesn't work, must be in the classpath
If true, create tables. After initial configuration, you may want to disable this depending on the dialect.
Task to call an existing workflow
Name of the workflow being called
Notify the subject of a workflow
Message to be sent, include user's attributes by
enclosing them in ${}. For instance to include givenName,
${givenName}
The subject line of the email
The attribute containing the user's email address
If specified, used as the content type of the email
Call a custom workflow task
Implementation of
com.tremolosecurity.provisioning.util.CustomTask
Delete the user from the target
The name of the provisioning target to delete the
user from
Top level element for an application
Top level element for a workflow
An organization can be used to organize workflows and
portal links
Child organizations
List of optional authorization rules associated with
this orgnaization
Name of the organization
Description of the orgnaization
A unique UUID used to identify this orgnaization
If true, shown on the portal screen in scalejs
If true, shown on the request access screen in scalejs
If true, shown on the reports screen in scalejs
Configuration of how Unison will utilize a JMS Queue
If true, Unison will use an embedded verison of
ActiveMQ
Number of producer threads
Class name for the JMS connection factory
Maximum number of consumer threads
Name of the queue for storing Unison tasks
Name of the queue to store emails in
Name of the encryption key for encrypting messages
send to the queue
Number of task queues
If true, multiple queues can be used for tasks
A portal URL can be to any resource
Authorization rule for if a user should be shown a
link
Label for the URL
The URL for the remote resource
Name of the URL
The UUID of the organization to place this URL in
Base64 encoded PNG file that will be displayed to the
user
A list of URLs that can be displayed to a user in
Scale or other identity portal
Unison uses an internal scheduler to be able to
perform jobs at specific times
If set to true, Unison will use the Quartz database
provider. This will make sure that in a cluster, a job is only
executed once
Number of threads the scheduler should use, minimum
of 3
Label for this cluster
The start of the IP to use to identify this server in
the cluster
Database configuration for connecting to the scheduler
database
Delegate Class name from Quartz
JDBC Driver
JDBC URL
Database user
Database password
Maximum connections to the database
Query to validate connections are still active
Configuration for a scheduled job
Implementation of of the abstract class
com.tremolosecurity.provisioning.scheduler.UnisonJob
Name of the job
Group name for the job
Jobs are scheduled using Cron syntax
Which seconds to run on
Which minutes to run on
Which hours to run on
Which days of the month to run on
Which months to run on
Which days of the week to run on
Which years to run on
List of message listeners
Listens on the queu for messages
Implements
com.tremolosecurity.provisioning.core.UnisonMesageListener abstract
class
The name of the queue to listen on
Defines a set of reports that are available to run
List of possible parameters that can be provided to
the SQL statement. Each parameter must be named in the order they
appear in the SQL.
A SQL statement that drives the report
List of fields from the SQL statement that will be
lsited before the data set
List of fields from the SQL statement that will be
included in the dataset
The id of the organization to place this report in
The name of this report
Descriptive text about the report
The name of the column to break up the dataset by,
only used if groupings is true
Set to true if a report should be breoken up into
multiple data sets based on a grouping
List of reports, optional
If an approval is not acted on in a certain amount of
time, an escalation can be used to re-assign the approval
The ammount of time since the approval or previous
escalation was executed until this escalation rule should be
enabled.
Implementation of
com.tremolosecurity.proxy.az.VerifyEscalation, used to determine if
an escalation that should execute because of time should execute
based on additional logic.
Determine the number of units executeAftertime is in
Provides an optional escalation policy for an approval
Determines what should happen when an approval has no
approvers
Determines what should happen when no approvers are
available. If "assign" then the approval is assigned to the azRules
section. If "leave" then the approval is left alone.
Defines a custom authorization that can provide
approvers to an approval or determine if a subject has access to a
requested resource
A label for the authorization rule
Class name of the class that implements
com.tremolosecurity.proxy.az.CustomAuthorization
List of custom authorization implementations
Optional element used to configure a workflow as dynamic
Parameter used to initialize the dynamic workflow generator
If set to true, the workflow is dynamic
Implementation of com.tremolosecurity.provisioning.util.DynamicWorkflow
Configuration for making sure brute force attacks can't be used
If true, enable lockout compliance
Maximum attempts before locking a user out
The amount of time in milliseconds that a user must be locked out before allowing logins
Attribute used to store the number of failed attempts
Attribute that stores the time stamp of the last failed attempt at authentication as the milliseconds since EPOCH
Attribute that stores the last successful authentication as the milliseconds since EPOCH
The workflow used to update the attributes
Attribute used to identify the user in the workflow