Logging the value of the id attribute of the <saml2p:Response> element

Koren, Meshna (ELS-AMS) M.Koren at elsevier.com
Tue Jun 23 10:35:34 UTC 2020 

Hi Scott,

We're trying to solve the puzzle of what does SP have that it can give to the IdP that will help the IdP find a user (with potentially compromized credentials or just not being aware of the terms and conditions) without much ado, in a privacy preserving fashion (okay, the IdP will know who the user is, but the SP won't) and in a scalable way.

I think the IdP's session ID (what comes back as 'ID' in SAML response) and the timestamp (what comes back as 'issueInstant' and in SAML response) should be sufficient for the IdP to be able to find a specific session in their logs and with it user info, it should be the most convenient and it's also the most generic solution since we can count on these two values to always be present. But I don't have any experience with IdP logs...

It's been mentioned elsewhere that a pseudonymous ID can be useful to an IdP to identify the user (and sometimes the IdPs ask for it but I suspect they're mistaken) and I don't really understand the value of that; I imagine the attribute assertion will often be encrypted in the logs as well, and the pseudonymous ID with it, and in itself it won't tell the IdP much about the user unless they're able to reverse engineer it, which shouldn't be possible... or if it happens to be included in the logged session info with other user data... and that session info can also be found by a session ID and timestamp.

But what do you think?

Thanks,
Meshna


-----Original Message-----
From: users <users-bounces at shibboleth.net> On Behalf Of Wessel, Keith
Sent: Monday, June 15, 2020 17:12
To: Shib Users <users at shibboleth.net>
Subject: RE: Logging the value of the id attribute of the <saml2p:Response> element

*** External email: use caution ***



Thanks, Scott. Somehow, I missed the fact that this is defined in audit.xml. The configuration is clear now, and I see the item I was looking for right after the IdP entityID and response binding in the default audit log entry format.

Keith


-----Original Message-----
From: users <users-bounces at shibboleth.net> On Behalf Of Cantor, Scott
Sent: Monday, June 15, 2020 9:52 AM
To: Shib Users <users at shibboleth.net>
Subject: Re: Logging the value of the id attribute of the <saml2p:Response> element

On 6/15/20, 10:38 AM, "users on behalf of Wessel, Keith" <users-bounces at shibboleth.net on behalf of kwessel at illinois.edu> wrote:

> So, I assume that %msg is preconfigured for several of these tokens
> for the audit log entries. Is it best practice to just add to that, or is it recommended that we rebuild what currently comes out of %msg from these tokens?

The audit log format is controlled by audit.xml and adding or changing fields is done there. You can't add fields (other than a couple of minor exceptions) any other way.

-- Scott


--
For Consortium Member technical support, see https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwiki.shibboleth.net%2Fconfluence%2Fx%2FcoFAAg&data=02%7C01%7CM.Koren%40elsevier.com%7C7782a49de6ff45a2917c08d8113e7791%7C9274ee3f94254109a27f9fb15c10675d%7C0%7C0%7C637278307279934695&sdata=l1Jaca5KXBWOX0PLTEcToyEcGyFKi6Lp01348Z4YCa4%3D&reserved=0
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
--
For Consortium Member technical support, see https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwiki.shibboleth.net%2Fconfluence%2Fx%2FcoFAAg&data=02%7C01%7CM.Koren%40elsevier.com%7C7782a49de6ff45a2917c08d8113e7791%7C9274ee3f94254109a27f9fb15c10675d%7C0%7C0%7C637278307279934695&sdata=l1Jaca5KXBWOX0PLTEcToyEcGyFKi6Lp01348Z4YCa4%3D&reserved=0
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net

________________________________

Elsevier B.V. Registered Office: Radarweg 29, 1043 NX Amsterdam, The Netherlands, Registration No. 33158992, Registered in The Netherlands.

More information about the users mailing list