Previous Topic: Trace LoggingNext Topic: Identity Provider Profiler Sample

Federation Security Services GuideFederation Security Services Trace LoggingUpdate Federation Web Services Data in the Logs

Update Federation Web Services Data in the Logs

If you modify any part of the federation configuration at the producer/Identity Provider or the consumer/Service Provider, flush the Federation Web Services cache for the changes to appear in the trace logs.

Note: Notice a brief delay from when the changes are made and when Federation Web Services receives the information.

To flush the cache

  1. Access the FSS Administrative UI.
  2. Select Tools, Manage Cache to access the Cache Management dialog.
  3. Click Flush All.
  4. Click OK.

Simplify Logging with Trace Configuration Templates

To make the task of collecting tracing data simpler, a series of preconfigured templates are installed with the Policy Server and the Web Agent Option Pack. You can use these templates instead of creating your own trace configuration file to collect the data that gets written to a trace log.

Trace Logging Templates for FWS

The following templates are available for Federation Web Services:

Template

Tracing Messages Collected

WebAgentTrace.conf

Default template. Collects data that you specify.

FWS_SSOTrace.conf

Collects single sign-on messages

FWS_SLOTrace.conf

Collects single logout messages

FWS_IPDTrace.conf

Collects Identity Provider Discovery Profile messages

All these templates include the Fed_Client component and subcomponents for the specific data being tracked. Look at each template to see the exact contents. The templates are located in web_agent_home/config.

To use a template for trace logging

  1. Make a copy of the template you want to use and rename the copy.

    Note: Do not edit the template directly.

  2. Open the Agent configuration file or Agent configuration Object.
  3. Set the TraceFile parameter to Yes.
  4. Set the TraceFileName parameter to the full path to the trace log file. This file contains the log output.
  5. Set the TraceConfigFile parameter to the full path to the newly named template file.
  6. Format the trace log file. The following parameters are the Web Agent configuration parameters that dictate the format of the trace log file:

    For descriptions of each logging parameter, see the Web Agent Configuration Guide.

Note: Web Agents on IIS 6.0 and Apache 2.0 servers do not support dynamic configuration of log parameters that are set locally in the Agent configuration file. Consequently, when you modify a parameter, the change takes effect only after the Agent is restarted. If you configure the log parameters in an Agent configuration object, these log settings can be stored and updated dynamically.

FWS Template Sample(shared)

The following text is an excerpt from the FWS_SLOTrace.conf template. Most of the file contains comments and instructions on how to use the file, the command syntax, and the available subcomponents for the Fed_Client component.

The excerpt shows the component, Fed_Client and the subcomponents (Single_Logout and Configuration) that are monitored. The excerpt also shows the specific data fields that indicate the required contents of each message (Date, Time, Pid, Tid, TransactionId, SrcFile, Function, Message).

components: Fed_Client/Single_Logout, Fed_Client/Configuration
data: Date, Time, Pid, Tid, TransactionID, SrcFile, Function, Message

Trace Logging Templates for the IdP and SP

The following templates are available for trace logging related to the Identity Provider and the Service Provider, such as assertion generation or SAML authentication.

Template

Tracing Messages Collected

samlidp_trace.template

Collects messages for Identity Provider activity

samlsp_trace.template

Collects messages for Service Provider activity

Look at each template to see the exact contents. The templates are located in policy_server_home/config/profiler_templates.

To use the template

  1. Open the Policy Server Management Console.
  2. Select the Profiler tab.
  3. Select the Enable Profiling check box.
  4. In the Configuration File field, click Browse and locate the template that you want to use.
  5. In the Output section, select whether to log the data to the Console or to a File or both. If you select a file, specify a path to that file in the Output to File field and select an output format.

    Note: Verify that the log file uses a unique name.

  6. Click OK to save your changes.
Service Provider Template Sample

The following text is the samlsp_trace.template file.

components: Server/Policy_Server_General, IsProtected/Resource_Protection, Login_Logout/Authentication, Login_Logout/Policy_Evaluation, Login_Logout/Active_Expression, Login_Logout/Session_Management, IsAuthorized/Policy_Evaluation, JavaAPI, Fed_Server/Auth_Scheme, Fed_Server/Configuration
data: Date, Time, Tid, TransactionID, SrcFile, Function, Domain, Resource, Action, User, Message

For Federation Security Services, it includes the Fed_Server component along with the subcomponents Auth_Scheme and Configuration.

The data fields that indicate the required contents of each message are:

Date, Time, Tid, TransactionId, SrcFile, Function, Domain, Resource, Action User, and Message.