IdP should log NameID for auditing
Description
Environment
Activity
Peter, that's a different issue than what Kristof first reported. I opened a new bug, SIDP-415, for the issue you reported.
There's a thread on shibboleth-users
https://lists.internet2.edu/sympa/arc/shibboleth-users/2010-09/msg00014.html
with two people (incl myself) seemingly not getting NameIDs logged. Since we also don't get any replies on the list I'm raising this here so we can find out what's wrong with our configuration.
I can't reopen this issue here to attach any config files, so how do we handle this?
Fixed in rev 2839
This is just notes for me.
This is because, on the front channel, encryption of the information is occurring before the information is logged (and the log doesn't log the encrypted info). On the back channel you don't normally encrypt on the back channel and so your don't run in to this. If you turned on encryption there you'd end up with the same problem.
Since 2.1 NameID is logged provided it is not encrypted. However it is by default, so I'd still call this issue a bug.
There might be a way to log unencrypted NameID unconditionally.
Without NameID logged, it's hard (or even impossible) to track back for which user belonged a certain SP session.
Actually haven't checked this with SAML1 NameIdentifiers.
Feel free to reject it there's some other way to do this. Shib-users: http://marc.info/?t=123271285500002&r=1&w=2