-
Notifications
You must be signed in to change notification settings - Fork 1
leifj/ndn-shib-fticks
Folders and files
Name | Name | Last commit message | Last commit date | |
---|---|---|---|---|
Repository files navigation
Introduction ------------ This is a logback (http://logback.qos.ch/) appender for writing "SAML F-TICKS" to syslog based on Shibboleth (http://shibboleth.internet2.edu) Audit Logs. This is an "uggly hack" (TM) that transforms the Audit Log format into the F-TICKS format. The purpose of this appender is to produce a privacy-preserving stream of audit data which can be used to produce federation-wide usage statistics. Log format ---------- The F-TICKS format implemented by this log appender is a generalization of the eduroam F-TICKS format: 'F-TICKS/' federationIdentifier '/' version *('#' attribute '=' value ) '#' In eduroam federationIdentifier is 'eduroam' and version is '1.0'. This implementation allows these values to be defined. The eduroam pattern SHOULD NOT be reused, instead consider using something that identifies the federation. The attributes exposed are: TS: the login time stamp RP: the relying party entityID AP: the asserting party entityID (typcially the IdP) PN: a sha256-hash of the local principal name and a unique key AM: the authentication method URN The unique key is stored in a key file and is automatically generated if missing. If this key is lost or reset then all local principal names will appear to have changed to analysis tools so avoid this! Configuration ------------- Configuration is done in logging.xml: 1) Add an appender definition: <appender name="IDP_FTICKS" class="net.nordu.logback.FTicksAppender"> <syslogHost>syslog.example.org</syslogHost> <federationIdentifier>swamid</federationIdentifier> <version>1.0</version> <keyFile>/opt/shibboleth-idp/conf/fticks-key.txt</keyFile> <blacklist>^test-.*$$|^monitor$$</blacklist> </appender> Change the keyFile to point to where you want to store your random key for protecting local principal names. NOTE!!!! Do not loose this file once you've started to generate logs The blacklist is a regular expression, referer to the java documentation on regular expressions: http://docs.oracle.com/javase/7/docs/api/java/util/regex/Pattern.html#sum Any log event where the local username matches this regexp are excluded from the log. Typically this is used to disable f-ticks for test or monitor accounts. Note that Java regexps imply *full* match so be sure to provide ^ and $ at the beginning and end of the string or your regexps probably won't match. $ must be doubled as $$ in logging.xml. NOTE!!!! The other options should be self-explanatory. 2) Add the appender to the Shibboleth-Audit logger by changing <logger name="Shibboleth-Audit" level="ALL"> <appender-ref ref="IDP_AUDIT" /> </logger> to <logger name="Shibboleth-Audit" level="ALL"> <appender-ref ref="IDP_AUDIT" /> <appender-ref ref="IDP_FTICKS" /> </logger> This assumes that you haven't changed logging.xml from the default. 3) Build: # git clone git://github.com/leifj/ndn-shib-fticks.git # cd ndn-shib-fticks # mvn ... build finishes ... The target directory should contain a jar-file. This is what you need for the next step. 4) Copy the jar-file to shibboleth-identity-provider-2.2.x/lib and re-run the install.sh script to build and deploy the shibboleth war-file. You may need to restart your entire application container (tomcat) for this to take effekt. If everything works you should start seeing F-TICKS lines on your syslog server! Comments are most welcome to leifj at sunet.se