Logging the value of the id attribute of the <saml2p:Response> element
Cantor, Scott
cantor.2 at osu.edu
Tue Jun 23 12:28:42 UTC 2020
> I think the IdP's session ID (what comes back as 'ID' in SAML response)
That isn't the IdP's session ID.
> But I don't have any experience with IdP logs...
Not every IdP is Shibboleth, and every IdP's audit log is up to the IdP deployer. Anything you use is at the discretion of the IdP logging it, so only communities can collectively standardize on something to ensure that people audit it. The SP is exactly the same way.
I audit at least 3-4 fields that are all individually sufficient to identify somebody.
-- Scott
More information about the users
mailing list