SAML f-ticks for Shibboleth
Log format
The F-TICKS format implemented by this log appender is a generalization of the eduroam F-TICKS format:
'F-TICKS/' federationIdentifier '/' version *('#' attribute '=' value ) '#'
In SWAMID federationIdentifier is 'SWAMID' and version is '1.0'.
The attributes exposed are:
Name | Description |
|---|---|
TS | the login time stamp |
RP | the relying party entityID |
AP | the asserting party entityID (typcially the IdP) |
PN | a sha256-hash of the local principal name and a unique key |
AM | the authentication method URN |
The instruction is know to work for Shibboleth Identity Provider version 3.1 or later.
Configuration
Configuration is done in idp.properties:
Salt
Use the following command to generate a salt
openssl rand -base64 36 2>/dev/null
Do not lose this salt once you've started to generate logs. If this salt is lost or reset then all local principal names will appear to have changed to analysis tools so avoid this!
Enable the logging
Add the following options to idp.properties
idp.fticks.federation=SWAMID idp.fticks.algorithm=SHA-256 idp.fticks.salt=<salt> idp.fticks.loghost=syslog.swamid.se