logging the SAML messages

David Bantz dabantz at alaska.edu
Fri Apr 11 20:50:12 EDT 2014

Is there a straightforward way to include the unencrypted incoming and outgoing SAML assertion in logs?

The edu.internet2.middleware.shibboleth.idp.profile.saml2.AbstractSAML2ProfileHandler logger
includes the unencrypted SAML assertion just prior to encryption and I’ve used that output
many times to document to Service Providers what I sent them, or in responding to claims 
from end users and end user support concerning the attributes sent.  But 
1) I have a small number of SPs that cannot consume encrypted assertions; the assertion 
isn’t added to the logs by that logger in those cases, and
2) that logger understandably does not include the incoming authN request.

The PROTOCOL_MESSAGE logger includes both the incoming request and the outgoing SAML assertion, 
and it’s human-readable if unencrypted, but turning that on creates massive output, usually 
not human-readable (encrypted).

Thanks for your suggestions,

David Bantz
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shibboleth.net/pipermail/users/attachments/20140411/b84e6ef2/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 163 bytes
Desc: Message signed with OpenPGP using GPGMail
Url : http://shibboleth.net/pipermail/users/attachments/20140411/b84e6ef2/attachment-0001.bin 

More information about the users mailing list