Versions Compared

Old Version 35

changes.mady.by.user Scott Cantor

Saved on

compared with

New Version 36

changes.mady.by.user Scott Cantor

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Expand
titleField Extraction

Field extraction is the process of populating a labeled field in an AuditContext object that is built up over the life of a transaction. The context is just a map of field names to collections of values and the field names are just conventions built-in to the software to provide a standard set of useful fields to audit.

Fields are extracted at various points through the life of a transaction so that adequate detail can be exposed about the request, the processing of the request, and the response. These extraction points are associated with collections of field extraction beans that do the actual work to pull data out of the state of the transaction and store it for output.

The built-in extraction points and beans are as follows (empty beans are not provided to reduce clutter, but you can add them, per the example below):

  1. shibboleth.FlowStartAuditExtractors

    • Extractors that run immediately after the flow starts operating and the ability to add fields is possible

  2. shibboleth.PostDecodeAuditExtractors

    • Extractors focused on the input message, runs after decoding the input message

  3. shibboleth.PostLookupAuditExtractors

    • Runs after establishing the sender's identity, supplements the input side with information about the relying party

  4. shibboleth.PostAssertionAuditExtractors

    • Extractors focused on authentication, session, and attribute information, runs after those processes and after the initial creation of the outgoing assertion (if relevant to the request)

  5. shibboleth.PostResponseAuditExtractors

    • Extractors focused on the outgoing message, runs after construction of the message

  6. shibboleth.LogoutRequestAuditExtractors

    • Extractors focused on information specific to a SAML LogoutRequest message, runs after decoding of the message

  7. shibboleth.LogoutAuditExtractors

    • Extractors focused on information in a non-SAML logout

  8. shibboleth.ErrorViewAuditExtractors

    • Extracts subject, session, and attribute information, runs in the event that a local error is generated

  9. shibboleth.consent.PreConsentAuditExtractors

    • Extracts basic information about the consent step, runs before a decision is made

    • Empty map beans are declared in conf/intercept/consent-intercept-config.xml

  10. shibboleth.consent.ConsentAuditExtractors

    • Extracts information about the decision, runs after a decision is made

    • Empty map beans are declared in conf/intercept/consent-intercept-config.xml

  11. shibboleth.PostRequestAuditExtractors

    • Extractors for an AuthnRequest built for proxied SAML SSO

  12. shibboleth.PostInboundResponseAuditExtractors

    • Extractors for a Response from proxied SAML SSO

  13. shibboleth.PostInboundAssertionAuditExtractors

    • Extractors for Assertions from proxied SAML SSO

Each entry in these maps is a key containing the string label to associate (the name of the field), and a value containing a Function<ProfileRequestContext,Object> instance. Functions can return either single objects that get converted to a string for logging, or a Collection of objects that are converted to strings and separated by commas within the logged field.

In this manner, you can add your own fields by implementing a function (or writing a script) to return any data you can find in the context tree and associating it with a custom field label by adding it to one of the maps named above.

...

Expand
titleBuilt-in SAML Fields

The more SAML-oriented fields that are supported out of the box are as follows (note that not every field is always populated; that depends on the timing of errors and the specific transaction being audited):

Field

Description

SP

Service provider name

IDP

Identity provider name

p

Protocol

b

Inbound binding

bb

Outbound binding

RS 4.1

RelayState

n

NameID value

f

NameID format

SPQ

NameID SPNameQualifier

pf

NameIDPolicy required format

PSPQ

NameIDPolicy required SPNameQualifier

i

Assertion ID

d

Assertion timestamp

I

Inbound message ID

D

Inbound message timestamp

II

InResponseTo

III

Outbound message ID

DD

Outbound message timestamp

t

AuthenticationInstant

x

SessionIndex

ac

AuthenticationContext

S

Status code

SS

Sub-status code

SM

Status message

pasv

IsPassive

fauth

ForceAuthn

SCC 4.2

Scoping ProxyCount from an AuthnRequest

SCI 4.2

Scoping IdP list from an AuthnRequest

SCR 4.2

Scoping Requester ID(s) from an AuthnRequest

PRC 4.2

ProxyRestriction ProxyCount

PRA 4.2

ProxyRestriction Audiences

XX

Signed inbound messages

X

Encrypted assertions

XA

Encryption algorithm

Expand
titleBuilt-in Authentication FIelds (V4.3+)

A few fields are defined for auditing specific information during authentication, which is a V4.3 feature; many are specific to particular login flows.

Field

Description

tu

Transformed username submitted for validation (Password flow only)

AR

Results of authentication attempt, either “Success” or classified error strings

CV

Specific CredentialValidator bean used (Password flow only)

Expand
titleAudit Log Output

In the output stage, a bean named shibboleth.AuditFormattingMap is used to write any number of log records containing any fields you configure to the logging API, at which point the Logback configuration takes over and decides how to send that data to particular log files or other log sinks. The bean is a map between logging categories and formatting strings.

The consent audit log relies on its own properties and beans to provide an audit format, so refer to that documentation for those specifics.

Formatting strings contain fields denoted with a '%' character followed by a field label, and any whitespace or punctuation terminates a field label and is included in the record directly.  Using '%%' will output a single percent character.

An additional bean, shibboleth.AuditSuppressedProfiles, contains a list of profile identifiers that should not result in audit log records. The default list is used to exempt the "status" handler from being logged. A partial list of profile IDs can be found in the MetadataDrivenConfiguration topic.

Finally, when errors are handled "locally" (see ErrorHandlingConfiguration), the IdP can be told whether to output an audit log record or not when the error event occurs. This is useful to suppress logging noise when common errors occur that would lead to a lot of useless auditing. The flag controlling this is inside the shibboleth.LocalEventMap bean in conf/errors.xml (the value of each map entry is the flag indicating whether to log).

...