Skip to Content.
Sympa Menu

shibboleth-dev - Re: Custom logging in Shibbolth 1.3 IdP

Subject: Shibboleth Developers

List archive

Re: Custom logging in Shibbolth 1.3 IdP


Chronological Thread 
  • From: "Simone Avogadro" <>
  • To:
  • Subject: Re: Custom logging in Shibbolth 1.3 IdP
  • Date: Mon, 30 Jul 2007 14:47:02 +0200
  • Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:references; b=GjCXaUepWlRnWXZ4p9dJQ+aO9YL1ez96nRcMxyUn0ElwLT3f9uaAveDK4vBdWH802AqlovAs5iKcbX6gODRE8ZPyWn3AvVQoizpmY6mGCfhjXpssRAcn2fbmmwWIwYI/Kj+B0PaPy9m0jK5M1zfRwdQRXoCyHq9fS/z6QbYe104=

Hi Tom,
  thanks for the answer, I will try to dig into the IdP logs so to understand if this is enougth for us. The only real problem I foresee is the bi-directionality of this information, but probably we might address this problems by post-processing and merging the logs so to make is one-way

               thansk for helping,
                                        -Simone

 P.s.: I don't actually unserstand very well what already exists within shibboleth and what needs to be implemented so I made my choice of posting to shib-dev by a raw guess...


2007/7/27, Tom Scavo <>:
[this thread probably belongs in shibboleth-users]

Hi Simone,

Since the authentication step is separate from Shibboleth, the logging
of the authentication context is mostly out of scope (as Scott said).
I say "mostly" since the IdP will accept three values from the
authentication service:

1. the authenticated user name (via REMOTE_USER)
2. the time of authentication (AuthenticationInstant)
3. the method of authentication (AuthenticationMethod)

These values will be logged by the IdP along with other detailed
information regarding the authentication assertion it issues to the
SP.  Does this help?

Tom

On 7/27/07, Simone Avogadro <> wrote:
> Thanks for the answer Scott!
> Here in Italy (and elsewhere in the world nowadays, I suppose) we have some
> laws which require us to track whom are we giving access to services and we
> try to do it in the most privacy-aware way
> do you have at hand any document/link that you belive might help us?
>
>
>     -Simone
>
> --
> ------------------------------------------------------
> Simone Ing. Avogadro
> Wise-Lab S.r.l.
> via del Lavoro, 16 - 22100 Como (Italy)
> Email: simone.avogadro/at/wise-
> lab.it
> Tel/Fax: +39-031-526012
> Web: http://www.wise-lab.it
> ------------------------------------------------------
>
>
>
> Leggi l'informativa in base all'art.13 del D.lgs. 30 giugno 2003, 196 sul
> trattamento dei dati personali:
>  http://www.wise-lab.it/switch/switch2Meta.jsp?meta=90
> 2007/7/26, Scott Cantor <>:
> > >  we are going to setup a Shibboleth IdP and are considering which data
> to
> > > track during the authentication process
> > > in order to do this the auth application needs to know which shibbleth-
> > > session-id has been assigned to the authenticated user
> >
> > There is no such thing, the current IdP is nominally stateless and any
> > sessions are handled by the authentication component.
> >
> > -- Scott
> >
> >
> >
> >
>
>




Archive powered by MHonArc 2.6.16.

Top of Page