Skip links

SIS Quick Note: Enhanced Audit Detail for SAML Assertions

Overview

We have a customer that aggregates all their SiteMinder audit logs using a log parser tool named NxLog. It is configured to parse the smaccess.log and send the data to a centralized Syslog server. By default, SiteMinder will not include any details about the SAML assertion generation. The following line is the default output for a SAML assertion generation in the smaccess log:

AssertionGenerate sis-pol-svr-02 [25/Feb/2021:20:41:32 -0500] " " "  " [] [0]  [] []

Unfortunately, this line provides very little information about the SAML assertion. There is no way to determine which user triggered this generation and there is no way to know what the destination of the user will be. To make the data more useful, our customer wanted to have more details about these AssertionGenerate events.

Enable Enhanced Auditing for SAML Assertion

To enable enhanced auditing for SAML assertions, you must edit the following registry:

/HKEY_LOCAL_MACHINE/SOFTWARE/NETEGRITY/SiteMinder/CurrentVersion/Reports

Once in the “Reports” registry key, add a new DWORD(32 Bit) attribute named “Enable Enhance Tracing”. The following values for this attribute are valid:

0 – Disable enhanced auditing

1 – Enables enhanced auditing

2 – Logs assertion attributes

3 – Logs assertion attributes and the authentication method for the resource

4 – Logs assertion attributes, the authentication method, and Enhanced Session Assurance with DeviceDNA information.

Finally, save the registry changes and restart the policy server service.

To suit this customer’s needs, we used ‘3’ for the trace level value. The following is the new log entry associated with a SAML assertion being generated:

[Auth][AssertionGenerate][][sis-pol-svr-02][25/Feb/2021:20:54:32 -0500][][][][][][][][][][][][][][][][][][][][][_fe79b2728181001e1a5ab118dcfb37eca9af][fedsvcs.sisuniversity.com.instructorservices][https://instructorservices.sisuniversity.com/login?so=00Df40000002OWn&sc=0LEf4000000Y0G3][urn:oasis:names:tc:SAML:2.0:status:Success][25/Feb/2021:20:54:01 -0500][25/Feb/2021:20:56:01 -0500][25/Feb/2021:20:54:30 -0500][25/Feb/2021:20:56:01 -0500][urn:oasis:names:tc:SAML:2.0:ac:classes:Password][SAML 2.0][UserName=MathTeacher01;Email=credentialing@office365.com;UserLastName=DOE;UserFirstName=John;InstructorRecordAccess=0f9d2f36-1734-4409-81b5-ac658e9dff0d;InstructorRoleAccess=0f9d2f36-1734-4409-81b5-ac658e9dff0d:33dd3d14][][][SAML 2.0]

The table below shows the data that is contained in the log entry:

AttributeData
Transaction TypeAuth
ActionAssertionGenerate
Policy Serversis-pol-svr-02
Date / Time25/Feb/2021:20:54:32 -0500
Transaction ID_fe79b2728181001e1a5ab118dcfb37eca9af
SPIDfedsvcs.sisuniversity.com.instructorservices
Destination URLhttps://instructorservices.sisuniversity.com/login?so=00Df40000002OWn&sc=0LEf4000000Y0G3
SAML Transaction Bindingurn:oasis:names:tc:SAML:2.0:status:Success
Before Skew[25/Feb/2021:20:54:01 -0500] [25/Feb/2021:20:56:01 -0500]
After Skew[25/Feb/2021:20:54:30 -0500] [25/Feb/2021:20:56:01 -0500]
Auth Typeurn:oasis:names:tc:SAML:2.0:ac:classes:Password
SAML VersionSAML 2.0
SAML Attribute: #1UserName=MathTeacher01
SAML Attribute: #2Email=credentialing@office365.com
SAML Attribute: #3UserLastName=DOE
SAML Attribute: #4UserFirstName=John
SAML Attribute: #5InstructorRecordAccess=0f9d2f36-1734-4409-81b5-ac658e9dff0d
SAML Attribute: #6InstructorRoleAccess=0f9d2f36-1734-4409-81b5-ac658e9dff0d:33dd3d14
SAML VersionSAML 2.0

As always, we hope that you have found this information useful. If you need IAM assistance, reach out to SIS today and we would be happy to assist you. And subscribe to our newsletter to be notified about the posting of future articles and other SIS news.

JOIN OUR NEWSLETTER

If you want to know our recent offer please subscribe to our newsletter