Versions Compared

Old Version 1

changes.mady.by.user Leif Johansson

Saved on

compared with

New Version Current

changes.mady.by.user Pål Axelsson

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Introduction

This is a logback (http://logback.qos.ch/Image Removed) appender for writing "SAML F-TICKS" to syslog based on Shibboleth (http://shibboleth.internet2.eduImage Removed) Audit Logs.

This is an "uggly hack" (TM) that transforms the Audit Log format into the F-TICKS format. The purpose of this appender is to produce a privacy-preserving stream of audit data which can be used to produce federation-wide usage statistics.

Log format

The F-TICKS format implemented by this log appender is a generalization of the eduroam F-TICKS format:

Code Block

'F-TICKS/' federationIdentifier '/' version *('#' attribute '=' value ) '#'

In eduroam SWAMID federationIdentifier is 'eduroamSWAMID' and version is '1.0'. This implementation allows these values to be defined. The eduroam pattern SHOULD NOT be reused, instead consider using something that identifies the federation.

The attributes exposed are:

Name

Description

TS

the login time stamp

RP

the relying party entityID

AP

the asserting party entityID (typcially the IdP)

PN

a sha256-hash of the local principal name and a unique key

AM

the authentication method URN



The

...

instruction is know to work for Shibboleth Identity Provider version 3.1 or later.

Configuration

Configuration is done in loggingidp.xml: 1) Add an appender definition:properties:

Salt

Use the following command to generate a salt

Code Block

<appender name="IDP_FTICKS" class="net.nordu.logback.FTicksAppender">
   <syslogHost>syslog.example.org</syslogHost>
   <federationIdentifier>swamid</federationIdentifier>
   <version>1.0</version>
   <keyFile>/opt/shibboleth-idp/conf/fticks-key.txt</keyFile>
</appender>

Change the keyFile to point to where you want to store your random key for protecting local principal names.

...

openssl rand -base64 36 2>/dev/null


Warning

Do not lose this salt once you've started to generate logs

...

The other options should be self-explanatory.

2) Add the appender to the Shibboleth-Audit logger by changing

Code Block

<logger name="Shibboleth-Audit" level="ALL">
   <appender-ref ref="IDP_AUDIT" />
</logger>

to

Code Block

<logger name="Shibboleth-Audit" level="ALL">
   <appender-ref ref="IDP_AUDIT" />
   <appender-ref ref="IDP_FTICKS" />
</logger>

This assumes that you haven't changed logging.xml from the default.

3) Build:

Code Block

# git clone git://github.com/leifj/ndn-shib-fticks.git
# cd ndn-shib-fticks
# mvn 
... build finishes ...

The target directory should contain a jar-file. This is what you need for the next step.

...

. If this salt is lost or reset then all local principal names will appear to have changed to analysis tools so avoid this!


Enable the logging

Add the following options to idp.properties

Code Block
idp.fticks.federation=SWAMID
idp.fticks.algorithm=SHA-256
idp.fticks.salt=<salt>
idp.fticks.loghost=syslog.swamid.se