...
Another audit record stream exists for logging decisions made by users regarding attribute release and terms of use acceptance and is routed by default through a logger named "Shibboleth-Consent-Audit" to a file called idp-consent-audit.log.
...
| Expand |
|---|
|
General beans defined in audit.xml, errors.xml, and related system configuration are: Bean ID | Type | Function |
|---|
shibboleth.AuditFormattingMap | Map<String,String> | Map of logging categories to audit formatting strings for general audit logging | shibboleth.AuditDateTimeFormat | String | DateTimeFormat string to apply to DateTime fields (but does not apply to the logback-generated field at the beginning of the log line) | shibboleth.AuditDefaultTimeZone | Boolean | Whether to convert DateTime fields into the machine's default time zone (UTC is used otherwise) | shibboleth.AuditFieldReplacementMap | Map<String,String> | Map of replacement strings to substitute in when populating audit fields (simple way to shrink long constants down to size) | shibboleth.AuditSuppressedProfiles | List<String> | List of profiles to skip auditing | shibboleth.LocalEventMap | Map<String,Boolean> | Map of local error events to flags indicating whether to output an audit log record | shibboleth.SuppressedEvents | List<String> | List of events that should not be logged as "errors" by the process log (generally leaving them to the audit log) | shibboleth.DefaultSuppressedEvents | List<String> | Default list of events used in place of shibboleth.SuppressedEvents bean |
In addition, there are a set of standard beans containing the map of field extractors for all of the various "interception points" of the processing of the IdP. A pair of beans are reserved for each point, a default set that comes out of the box, and a defined bean ID to override or add to those defaults. Each of these beans is of type Map<String,Function<ProfileRequestContext,Object>> shibboleth.FlowStartAuditExtractors / shibboleth.DefaultFlowStartAuditExtractors shibboleth.PostDecodeAuditExtractors / shibboleth.DefaultPostDecodeAuditExtractors shibboleth.PostLookupAuditExtractors / shibboleth.DefaultPostLookupAuditExtractors shibboleth.PostAssertionAuditExtractors / shibboleth.DefaultPostAssertionAuditExtractors shibboleth.PostResponseAuditExtractors / shibboleth.DefaultPostResponseAuditExtractors shibboleth.PostRequestAuditExtractors / shibboleth.DefaultPostRequestAuditExtractors shibboleth.PostInboundResponseAuditExtractors / shibboleth.DefaultPostInboundResponseAuditExtractors shibboleth.PostInboundAssertionAuditExtractors / shibboleth.DefaultPostInboundAssertionAuditExtractors shibboleth.LogoutRequestAuditExtractors / shibboleth.DefaultLogoutRequestAuditExtractors shibboleth.LogoutAuditExtractors / shibboleth.DefaultLogoutAuditExtractors shibboleth.ErrorViewAuditExtractors / shibboleth.DefaultErrorViewAuditExtractors shibboleth.consent.PreConsentAuditExtractors / shibboleth.consent.DefaultPreConsentAuditExtractors shibboleth.consent.ConsentAuditExtractors / shibboleth.consent.DefaultConsentAuditExtractors
With V4.3+, an additional set of beans for each login flow are added: |
| Expand |
|---|
|
Properties are defined in services.properties to customize various aspects of audit logging: Property | Type | Default | Function |
|---|
idp.service.logging.saml1sso | String | SSO | Suffix added to audit logging category when various profiles/flows are audited, you can use this to route different kinds of audit records to different destinations based on general function | idp.service.logging.saml1attrquery | String | AttributeQuery | idp.service.logging.saml1artifact | String | ArtifactResolution | idp.service.logging.saml2sso | String | SSO | idp.service.logging.saml2attrquery | String | AttributeQuery | idp.service.logging.saml2artifact | String | ArtifactResolution | idp.service.logging.saml2slo | String | Logout | idp.service.logging.logout | String | Logout | idp.service.logging.cas | String | SSO | idp.service.logging.status | String | Status | idp.service.logging.resolvertest | String | ResolverTest | idp.service.logging.serviceReload | String | Reload | idp.audit.shortenBindings | Boolean | false | Allows simpler "short names" of SAML bindings and other (configurable) constants to appear in the audit log, instead of full URIs | idp.audit.hashAlgorithm 4.1 | String | SHA-256 | Hash algorithm to apply to various hashed fields | idp.audit.salt 4.1 | String | | Salt to apply to hashed fields, must be set to use those fields |
Additional properties are housed in authn/authn.properties to enable and customize authentication auditing. The <Flow> token in the various property names below is a stand-in for the actual login flow suffix (Password, External, RemoteUser, etc.), as these are per-flow properties. Property | Type | Default | Function |
|---|
idp.authn.audit.enabled 4.3 | Boolean | false | Enables the authentication audit logging feature | idp.authn.<Flow>.audit.enabled 4.3 | Boolean | %{idp.authn.audit.enabled} | Enables audit logging for a specific login flow | idp.authn.<Flow>.audit.category 4.3 | String | Shibboleth-Audit.<Flow> | Log category for audit records for a specific login flow | idp.authn.Password.audit.format 4.3 | String | %a|%T|%SP|%I|%s|%AF|%CV|%u|%tu|%AR|%UA | Audit formatting string for this login flow | idp.authn.Duo.audit.format 4.3 | String | %a|%T|%SP|%I|%s|%AF|%u|%AR|%DuoCID|%DuoF|%DuoDID|%UA | Audit formatting string for this login flow | idp.authn.External.audit.format 4.3 | String | %a|%T|%SP|%I|%s|%AF|%u|%AR|%UA | Audit formatting string for this login flow | idp.authn.Function.audit.format 4.3 | String | %a|%T|%SP|%I|%s|%AF|%u|%AR|%UA | Audit formatting string for this login flow | idp.authn.IPAddress.audit.format 4.3 | String | %a|%T|%SP|%I|%s|%AF|%CV|%u|%AR|%UA | Audit formatting string for this login flow | idp.authn.RemoteUser.audit.format 4.3 | String | %a|%T|%SP|%I|%s|%AF|%CV|%u|%AR|%UA | Audit formatting string for this login flow | idp.authn.RemoteUserInternal.audit.format 4.3 | String | %a|%T|%SP|%I|%s|%AF|%CV|%u|%AR|%UA | Audit formatting string for this login flow | idp.authn.SPNEGO.audit.format 4.3 | String | %a|%T|%SP|%I|%s|%AF|%u|%AR|%UA | Audit formatting string for this login flow | idp.authn.X509.audit.format 4.3 | String | %a|%T|%SP|%I|%s|%AF|%X509S|%X509I|%AR|%UA | Audit formatting string for this login flow | idp.authn.X509Internal.audit.format 4.3 | String | %a|%T|%SP|%I|%s|%AF|%X509S|%X509I|%AR|%UA | Audit formatting string for this login flow |
|