You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 7 Next »

Introduction

This is a logback (http://logback.qos.ch/) appender for writing "SAML F-TICKS" to syslog based on Shibboleth (http://shibboleth.internet2.edu) Audit Logs. This is a bit of an "uggly hack" (TM) that transforms the Audit Log format into the F-TICKS format. The purpose of this appender is to produce a privacy-preserving stream of audit data which can be used to produce federation-wide usage statistics.

Log format

The F-TICKS format implemented by this log appender is a generalization of the eduroam F-TICKS format:

'F-TICKS/' federationIdentifier '/' version *('#' attribute '=' value ) '#'

In SWAMID federationIdentifier is 'SWAMID' and version is '2.0'.

The attributes exposed are:

Name

Description

TS

the login time stamp

RP

the relying party entityID

AP

the asserting party entityID (typcially the IdP)

PN

a sha256-hash of the local principal name and a unique key

AM

the authentication method URN

The unique key is stored in a key file and is automatically generated if missing. If this key is lost or reset then all local principal names will appear to have changed to analysis tools so avoid this!

Pre-requisites

The instruction is know to work for Shibboleth Identity Provider version 2.4 or later. In order to build the plugin software you will need maven and a JAVA SDK.

Installation and Configuration

Configuration is done in logging.xml:

Appender

Add an appender definition to logging.xml close to where the other appenders are.

<appender name="IDP_FTICKS" class="net.nordu.logback.FTicksAppender">
   <syslogHost>syslog.swamid.se</syslogHost>
   <federationIdentifier>SWAMID</federationIdentifier>
   <version>2.0</version>
   <keyFile>/opt/shibboleth-idp/conf/fticks-key.txt</keyFile>
</appender>

Change the keyFile to point to where you want to store your random key for protecting local principal names.

Do not loose this file once you've started to generate logs

The other options should be self-explanatory.

Enable the appender

Add the appender to the Shibboleth-Audit logger by changing

<logger name="Shibboleth-Audit" level="ALL">
   <appender-ref ref="IDP_AUDIT" />
</logger>

to

<logger name="Shibboleth-Audit" level="ALL">
   <appender-ref ref="IDP_AUDIT" />
   <appender-ref ref="IDP_FTICKS" />
</logger>

This assumes that you haven't changed logging.xml from the default.

Build software

# git clone git://github.com/leifj/ndn-shib-fticks.git
# cd ndn-shib-fticks
# mvn 
... build finishes ...

The target directory should contain a jar-file. This is what you need for the next step.

Install software

Copy the jar-file to shibboleth-identity-provider-2.2.x/lib and re-run the install.sh script to build and deploy the shibboleth war-file. You may need to restart your entire application container (tomcat) for this to take effekt.

  • No labels