PingFederate Server

Runtime transaction logging

PingFederate provides for flexible, scalable logging of all federated-identity transactions, for both inbound and outbound messages.

About this task

Administrators can configure transaction logging to any of the four modes on a per-connection basis or override the logging mode for all service provider (SP) connections, identity provider (IdP) connections, or both for troubleshooting or as a one-step means of raising or lowering all connection logging modes to the same level. The log file is transaction.log, located in the <pf_install>>/pingfederate/log directory.

The following table describes the four transaction logging modes.

Mode Description

None

No transaction logging.

Standard

(Default) Summary information for each transaction message, including:

  • Time stamp

  • Hostname and port

  • Log mode

  • Connection ID

  • SAML status code, for SAML responses only

  • Context

  • Message type

  • SAML ID, for SAML messages only

  • Endpoint, for outbound messages only

  • Target URL, if single sign-on (SSO) transaction

Enhanced

Includes everything logged at the Standard level including:

  • SAML_SUBJECT*

  • Binding

  • Relay state, if available

  • Signature policy

  • Signature status

  • HTTP request parameters, for outbound messages only

  • Only when available in a SAML assertion, a single logout (SLO) request, an STS Request Security Token Response (RSTR), or an authentication request (AuthnRequest)

Full

Includes everything logged at the Enhanced level plus the complete XML message for every transaction.

Each field is separated by a vertical pipe (|) for parsing.

Steps

  • To configure transaction logging mode on a per connection basis:

    1. Select the applicable connection on the IdP Connections window (Authentication → Integration → IdP Connections) or the SP Connections window (Applications → Integration → SP Connections).

    2. On the General Info tab, select one of the logging modes.

  • To override transaction logging mode for all SP or IdP connections:

    1. On theIdP Connections window or SP Connections window, click Show Advanced Fields.

    2. On the Logging Mode Override setting, click On.

    3. Select a logging mode for the IdP or SP connections.