Shibboleth Developers

[Thomas Lenggenhager <>]

> I've done nothing to the SP transaction logs. I don't think there's any
> agreement on what to add. I might annotate things a little just because
> we've added the artifact profile, but that's minor.

Walter: What's imp,lemented for 1.3 on the IdP side?
 
> Logging attribute values in particular seems like a very bad idea from a
> privacy standpoint, and apart from that I can't think what else I would add.
> The debug logs of course show everything, but nobody is supposed to do that
> in production.

Agreed for the attribute values, that is problematic.
But I think there is value (beyond mere debug logging) for at least
logging on an SP info about the Shib user sessions:
 - when a session (with some unique session ID) starts (which IdP
   provided which handle)
 - when an attribute request takes place (which attributes (if any) get
   requested from which AA)
 - when an attribute assertion is received (which attributes get received
   from which AA)
 - when a session ends (not applicable as long there is no logout
   implemented)

In which way you would otherwise, in an operational environment with
debug logging turned off, trace down what really happened if the admin of
a shib protected web application shows up after the weekend and wants to
know which (to him anonymous) user consumed so many resources on his
web app?

Based on such audit log you could go back to the IdP admin and he could
find out the account through which this activity was authenticated.

Thomas