Shibboleth Developers

[Bill Doster <>]

On Sep 20, 2007, at 16:17 , <> wrote:

Where (or how) do I get the IDP to start logging things like assertions

generated?  I can see the assertions that arrive on the Shibboleth SP

via it's logfiles, but I don't see anywhere that I am logging what was

sent on the IDP.  Do I simply need to change the loglevel for the audit

log?  If so, is there any place on the Wiki that defines what data I get

at the various log levels?

Well, on my dev IdP I get the following:

in IdP shib-access.log:

2007-08-29 09:34:43,621 Attribute assertion generated for provider (null) on behalf of principal (billdo) with the following attributes: (urn:mace:dir:attribute-def:eduPersonEntitlement)(urn:mace:dir:attribute-def:displayName)(urn:mace:dir:attribute-def:eduPersonPrincipalName)

2007-08-29 09:34:43,621 Attribute assertion (_47609c632994d15767a14d49c554a61c) issued to anonymous provider at (141.213.231.220) on behalf of principal (billdo).

and in IdP shib-error.log:

2007-08-29 09:34:43,621 INFO  [IdP] 411510098                           - Found 3 attribute(s) for billdo

2007-08-29 09:34:43,631 DEBUG [IdP] 411510098                           - Dumping generated SAML Response:

<Response xmlns="urn:oasis:names:tc:SAML:1.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" InResponseTo="_cc363068a5107daf6e9aa990e864cda3" IssueInstant="2007-08-29T13:34:43.621Z" MajorVersion="1" MinorVersion="1" ResponseID="_b983e52fe64aac743473eb8d9ff92b58"><Status><StatusCode Value="samlp:Success"></StatusCode></Status><Assertion xmlns="urn:oasis:names:tc:SAML:1.0:assertion" AssertionID="_47609c632994d15767a14d49c554a61c" IssueInstant="2007-08-29T13:34:43.621Z" Issuer="https://billdo-wsvr.staff.itd.umich.edu/shibboleth/testshib/idp" MajorVersion="1" MinorVersion="1"><Conditions NotBefore="2007-08-29T13:34:43.621Z" NotOnOrAfter="2007-08-29T14:04:43.621Z"><AudienceRestrictionCondition><Audience>urn:mace:shibboleth:testshib</Audience><Audience>https://billdo-sp.us.itd.umich.edu/shibboleth/testshib/sp</Audience><!

 /AudienceRestrictionCondition></Conditions><AttributeStatement><Subject><NameIdentifier Format="urn:mace:shibboleth:1.0:nameIdentifier" NameQualifier="https://billdo-wsvr.staff.itd.umich.edu/shibboleth/testshib/idp">_4dd05d2f659c49ade48b1b1b9b9b239c</NameIdentifier></Subject><Attribute AttributeName="urn:mace:dir:attribute-def:eduPersonEntitlement" AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace:uri"><AttributeValue>1</AttributeValue></Attribute><Attribute AttributeName="urn:mace:dir:attribute-def:displayName" AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace:uri"><AttributeValue>William A Doster</AttributeValue></Attribute><Attribute AttributeName="urn:mace:dir:attribute-def:eduPersonPrincipalName" AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace:uri"><AttributeValue>billdo</AttributeValue></Attribute></AttributeStatement></Assertion></Response>

2007-08-29 09:34:43,632 INFO  [IdP] 411510098                           - Successfully created response for principal (billdo).

You get the attribute count logging at an "INFO" level.  You need "DEBUG" to get the actual attribute names and the dump of the SAML response.