Introduction
...
Log format
...
Log format
The F-TICKS format implemented by this log appender is a generalization of the eduroam F-TICKS format:
...
In SWAMID federationIdentifier
is 'SWAMID' and version
is '21.0'.
The attributes exposed are:
Name | Description |
---|---|
TS | the login time stamp |
RP | the relying party entityID |
AP | the asserting party entityID (typcially the IdP) |
PN | a sha256-hash of the local principal name and a unique key |
AM | the authentication method URN |
The unique key is stored in a key file and is automatically generated if missing. If this key is lost or reset then all local principal names will appear to have changed to analysis tools so avoid this!
...
The instruction is know to work for Shibboleth Identity Provider version
...
3.
...
1 or later.
...
...
Configuration
Configuration is done in loggingidp.xmlproperties:
Appender
Add an appender definition to logging.xml close to where the other appenders are (before the loggers).
Code Block | ||
---|---|---|
| ||
<appender name="IDP_FTICKS" class="net.nordu.logback.FTicksAppender">
<syslogHost>syslog.swamid.se</syslogHost>
<federationIdentifier>SWAMID</federationIdentifier>
<version>2.0</version>
<keyFile>/opt/shibboleth-idp/conf/fticks-key.txt</keyFile>
<blacklist>^monitor$$</blacklist> <!-- no logging for user monitor -->
</appender>
|
Code Block | ||
---|---|---|
| ||
<appender name="IDP_FTICKS" class="net.nordu.logback.FTicksAppender">
<syslogHost>syslog.swamid.se</syslogHost>
<federationIdentifier>SWAMID</federationIdentifier>
<version>2.0</version>
<keyFile>C:/Program Files (x86)/Internet2/Shib2IdP/conf/fticks-key.txt</keyFile>
<blacklist>^monitor$$</blacklist> <!-- no logging for user monitor -->
</appender>
|
Change the keyFile to point to where you want to store your random key for protecting local principal names.
Salt
Use the following command to generate a salt
Code Block |
---|
openssl rand -base64 36 2>/dev/null |
Warning |
---|
Do not lose this salt |
Warning |
Do not loose this file once you've started to generate logs |
...
. If this salt is lost or reset then all local principal names will appear to have changed to analysis tools so avoid this! |
Enable the
...
logging
Add the appender to the Shibboleth-Audit logger by changing
Code Block |
---|
<logger name="Shibboleth-Audit" level="ALL">
<appender-ref ref="IDP_AUDIT" />
</logger>
|
to
Code Block |
---|
<logger name="Shibboleth-Audit" level="ALL">
<appender-ref ref="IDP_AUDIT" />
<appender-ref ref="IDP_FTICKS" />
</logger>
|
This assumes that you haven't changed logging.xml from the default.
Build software
To build fticks, you need git, maven and Java JDK.
Code Block | ||
---|---|---|
| ||
# git clone git://github.com/leifj/ndn-shib-fticks.git
# cd ndn-shib-fticks
# mvn
... build finishes ...
|
Code Block | ||
---|---|---|
| ||
$ cd Desktop
$ git clone git://github.com/leifj/ndn-shib-fticks.git
$ cd ndn-shib-fticks
$ export JAVA_HOME="/c/Program Files (x86)/Java/jdk1.7.0_25"
$ /c/apache-maven-3.1.0/bin/mvn
... build finishes ...
|
The target directory should contain a jar-file. This is what you need for the next step.
Install software
Copy the jar-file to
Code Block | ||
---|---|---|
| ||
shibboleth-identity-provider-2.2.x/lib
|
Code Block | ||
---|---|---|
| ||
C:/Program Files (x86)/Internet2/Shib2IdPInstall/lib
|
...
following options to idp.properties
Code Block |
---|
idp.fticks.federation=SWAMID
idp.fticks.algorithm=SHA-256
idp.fticks.salt=<salt>
idp.fticks.loghost=syslog.swamid.se
|