JBoss Community Archive (Read Only)

PicketLink

PicketLinkAudit

Availability

Available since PicketLink v2.1.2.Final (Release Date: TBD)

Configuration

At the root element of picketlink.xml ie. PicketLink,  please add the attribute "EnableAudit" and set it to "true".

pickelink.xml
<PicketLink xmlns="urn:picketlink:identity-federation:config:2.1" EnableAudit="true">
        <PicketLinkIDP xmlns="urn:picketlink:identity-federation:config:2.1">
                <IdentityURL>${idp.url::http://localhost:8080/idp/}</IdentityURL>
                <Trust>
                        <Domains>localhost,jboss.com,jboss.org,amazonaws.com</Domains>
                </Trust>
        </PicketLinkIDP>
        <Handlers xmlns="urn:picketlink:identity-federation:handler:config:2.1">
                <Handler
                        class="org.picketlink.identity.federation.web.handlers.saml2.SAML2IssuerTrustHandler" />
                <Handler
                        class="org.picketlink.identity.federation.web.handlers.saml2.SAML2LogOutHandler" />
                <Handler
                        class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler" />
                <Handler
                        class="org.picketlink.identity.federation.web.handlers.saml2.RolesGenerationHandler" />
        </Handlers>
</PicketLink>

Server Runtime Configuration

JBoss AS 7.1.x

Please make the following configuration changes to the logging section of standalone.xml

standalone.xml/logging
<periodic-rotating-file-handler name="PICKETLINK">
    <formatter>
        <pattern-formatter pattern="%d{HH:mm:ss,SSS} %-5p [%c] (%t) %s%E%n"/>
    </formatter>
    <file relative-to="jboss.server.log.dir" path="picketlink.log"/>
        <suffix value=".yyyy-MM-dd"/>
        <append value="true"/>
</periodic-rotating-file-handler>

<!-- PicketLink 2.1 used: category="org.picketlink.identity.federation.audit" -->
<logger category="org.picketlink.common">
<level name="INFO"/>
    <handlers>
        <handler name="PICKETLINK"/>
    </handlers>
</logger>

As you can see, we have added a rotating file handler called "PICKETLINK" and then we have defined the logger at info for the PicketLinkAuditProvider.

Now for each of the security domains that govern your Identity Provider, Service Provider and Security Token Server (STS), add the audit provider.

standalone.xml
<security-domain name="idp" cache-type="default">
                    <authentication>
                        <login-module code="UsersRoles" flag="required">
                            <module-option name="usersProperties" value="users.properties"/>
                            <module-option name="rolesProperties" value="roles.properties"/>
                        </login-module>
                    </authentication>
                    <audit>
                        <provider-module code="org.picketlink.identity.federation.core.audit.PicketLinkAuditProvider"/>
                    </audit>
                </security-domain>
                <security-domain name="picketlink-sts" cache-type="default">
                    <authentication>
                        <login-module code="UsersRoles" flag="required">
                            <module-option name="usersProperties" value="users.properties"/>
                            <module-option name="rolesProperties" value="roles.properties"/>
                        </login-module>
                    </authentication>
                    <audit>
                        <provider-module code="org.picketlink.identity.federation.core.audit.PicketLinkAuditProvider"/>
                    </audit>
                </security-domain>
                <security-domain name="sp" cache-type="default">
                    <authentication>
                        <login-module code="org.picketlink.identity.federation.bindings.jboss.auth.SAML2LoginModule" flag="required"/>
                    </authentication>
                    <audit>
                        <provider-module code="org.picketlink.identity.federation.core.audit.PicketLinkAuditProvider"/>
                    </audit>
                </security-domain>

During Operation, you should see a picketlink.log file in your server log directory.

Here is an example of picketlink.log that was generated for enabling the audit on the IDP application alone.

picketlink.log
17:00:30,299 INFO  [org.picketlink.identity.federation.core.audit.PicketLinkAuditProvider] (http--127.0.0.1-8080-2) /idp CREATED_ASSERTION ID_3f41b3ba-3f82-4e89-8219-c28c2d442c82 [Info]
17:00:30,302 INFO  [org.picketlink.identity.federation.core.audit.PicketLinkAuditProvider] (http--127.0.0.1-8080-2) /idp RESPONSE_TO_SP http://localhost:8080/sales-post/ [Info]

Enabling global audit setting

For JBoss AS 7.1.x, you can configure the system property in standalone.xml

standalone.xml
</extensions>

    <system-properties>
        <property name="picketlink.audit.enable" value="true"/>
    </system-properties>


    <management>
JBoss.org Content Archive (Read Only), exported from JBoss Community Documentation Editor at 2020-03-11 12:19:12 UTC, last content change 2015-02-10 14:09:47 UTC.