{"type":"doc","content":[{"type":"paragraph","content":[{"text":"It can be useful to have a point-in-time record of specific attributes, particularly generated attributes, for audit purposes. The Shibboleth Identity Provider (IdP) audit log provides an appropriate location and is probably already being centrally monitored for other purposes.","type":"text"}]},{"type":"paragraph","content":[{"text":"This example shows how to add the ","type":"text"},{"text":"eduPersonTargetedId","type":"text","marks":[{"type":"code"}]},{"text":" attribute as an extra field to the Shibboleth Identity Provider's audit log (","type":"text"},{"text":"idp-audit.xml","type":"text","marks":[{"type":"code"}]},{"text":"). This could also be used for other attributes such as ","type":"text"},{"text":"pairwise-id","type":"text","marks":[{"type":"code"}]},{"text":".","type":"text"}]},{"type":"heading","attrs":{"level":1},"content":[{"text":"Assumptions","type":"text"}]},{"type":"paragraph","content":[{"text":"Your audit log configuration is unchanged from a v4.0 installation and your","type":"text"},{"text":" attribute resolver generates an attribute","type":"text","marks":[{"type":"annotation","attrs":{"annotationType":"inlineComment","id":"94f723db-8a47-4bf1-866a-7fdfabf55c45"}}]},{"text":" named ","type":"text"},{"text":"eduPersonTargetedId","type":"text","marks":[{"type":"code"}]},{"text":" such as:","type":"text"}]},{"type":"codeBlock","attrs":{"language":"xml"},"content":[{"text":"\n \n\n \n \n ","type":"text"}]},{"type":"heading","attrs":{"level":1},"content":[{"text":"Implementation","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Create a new bean to make arbitrary attributes available","type":"text"}]},{"type":"paragraph","content":[{"text":"In ","type":"text"},{"text":"conf/audit.xml","type":"text","marks":[{"type":"code"}]},{"text":", add the following ","type":"text"},{"text":"","type":"text","marks":[{"type":"code"}]},{"text":" (at the end, before the closing ","type":"text"},{"text":"","type":"text","marks":[{"type":"code"}]},{"text":"). This script, based on the examples in ","type":"text"},{"text":"AuditLoggingConfiguration","type":"text","marks":[{"type":"link","attrs":{"href":"/wiki/spaces/IDP4/pages/1265631711"}}]},{"text":", takes a single or multi-valued attribute generated by the resolver and returns it to a calling bean. If the attribute is multi-valued then it delimits the values with a comma (","type":"text"},{"text":",","type":"text","marks":[{"type":"code"}]},{"text":") in the same way as Perl's ","type":"text"},{"text":"join(',', @list)","type":"text","marks":[{"type":"code"}]},{"text":".","type":"text"}]},{"type":"codeBlock","attrs":{"language":"xml"},"content":[{"text":"\n \n \n \n \n \n\n","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Create a sub-bean for the specific attribute required","type":"text"}]},{"type":"paragraph","content":[{"text":"After the ","type":"text"},{"text":"AttributeValueExtraction","type":"text","marks":[{"type":"code"}]},{"text":" bean, add:","type":"text"}]},{"type":"codeBlock","attrs":{"language":"xml"},"content":[{"text":"","type":"text"}]},{"type":"paragraph","content":[{"text":"You can create multiple ","type":"text"},{"text":"audit-...","type":"text","marks":[{"type":"code"}]},{"text":" beans if you require multiple attributes to be made available in the audit log.","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Create the audit log value","type":"text"}]},{"type":"paragraph","content":[{"text":"After the ","type":"text"},{"text":"audit-eduPersonTargetedID","type":"text","marks":[{"type":"code"}]},{"text":" bean, add:","type":"text"}]},{"type":"codeBlock","attrs":{"language":"xml"},"content":[{"text":" \n \n \n \n \n \n ","type":"text"}]},{"type":"paragraph","content":[{"text":"This creates a new substitution value ","type":"text"},{"text":"%eduPersonTargetedID","type":"text","marks":[{"type":"code"}]},{"text":" based on the value returned from ","type":"text"},{"text":"audit-eduPersonTargetedID","type":"text","marks":[{"type":"code"}]},{"text":".","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Update the Audit log template to include the new value","type":"text"}]},{"type":"paragraph","content":[{"text":"In ","type":"text"},{"text":"conf/audit.xml","type":"text","marks":[{"type":"code"}]},{"text":", find ","type":"text"},{"text":"","type":"text","marks":[{"type":"code"}]},{"text":" which may look like:","type":"text"}]},{"type":"codeBlock","attrs":{"language":"xml"},"content":[{"text":"\n \n","type":"text"}]},{"type":"paragraph","content":[{"text":"Add the new attribute (","type":"text"},{"text":"%eduPersonTargetedID","type":"text","marks":[{"type":"code"}]},{"text":")to the end of the template:","type":"text"}]},{"type":"codeBlock","attrs":{"language":"xml"},"content":[{"text":"\n \n","type":"text"}]},{"type":"paragraph","content":[{"text":"and restart the IdP.","type":"text"}]}],"version":1}