Shibboleth Developers

[Kristof Bajnok <>]

I strongly support this idea. Details below:

On Tuesday 08 February 2011 22:28:58 Philip Brusten wrote:
> I think, the SP audit log should contain at least the following fields
> delimited by a '|':  
> - Authentication Time
> - SessionId 
> - REMOTE_USER if any 
> - Client IP address 
> - Authentication Context Class 
> - User-agent 
> - Application id 
> - entityID of SP 
> - entityID of IdP 
> - Protocol 
> - Binding 
> - filtered attribute IDs 

The NameID would be very important to include, as this is often different 
from 
REMOTE_USER, although the qualifyers should be probably omitted.

OTOH I can not thinkof any good use of User-Agent and Protocol (should that 
mean http/https?) fields, IMO these would only generate noise. SP entityID 
seems to be redundant with the application id, if that's true, I'd keep the 
application id. 

I suppose that a timestamp should also be logged if it's not done implicitly 
by the library. For audit logs, I prefer to use unix timestamps, but as long 
as it is machine parseable, any solution would do.

The IdP contains many specifics of the SAML exchange (request id, assertion 
ids, etc), but I think, for an SP audit log, these are of little use.

To sum up, I'd propose the following record format:
timestamp|sessionId|REMOTE_USER|NameID|client_IP|appId|IDP_entityid|binding|
authnTime|authncontext|filtered_attribute_ids

Kristof