---
title: Attribute masking
description: At runtime PingFederate logs user attributes. To preserve user privacy, you can mask the values of logged attributes.
component: pingfederate
version: 13.1
page_id: pingfederate:introduction_to_pingfederate:pf_attrib_masking
canonical_url: https://docs.pingidentity.com/pingfederate/13.1/introduction_to_pingfederate/pf_attrib_masking.html
llms_txt: https://docs.pingidentity.com/pingfederate/llms.txt
docs_for_agents: https://developer.pingidentity.com/build-with-ai/docs-for-agents.md
revdate: May 10, 2023
---

# Attribute masking

At runtime PingFederate logs user attributes. To preserve user privacy, you can mask the values of logged attributes.

For more information about log files, see [PingFederate log files](../administrators_reference_guide/pf_log_files.html). PingFederate provides this masking capability at all points where the server logs attributes. These points include:

* Datastore lookup at either the identity provider (IdP) or service provider (SP) site. For more information, see [Managing datastores](../administrators_reference_guide/pf_managing_datastores.html).

* Retrieval of attributes from an IdP adapter or token processor. For more information, see [Setting pseudonym and masking options](../administrators_reference_guide/pf_setting_pseudonym_masking_options.html) and [Setting attribute masking](../administrators_reference_guide/help_tokenprocessorinstancetasklet_attributevaluemaskstate.html).

* SP-server processing of incoming attributes based on the single sign-on (SSO) attribute contract. For more information, see [Defining an attribute contract](../administrators_reference_guide/help_usersessioncreationtasklet_createattributecontractstate.html).

  |   |                                                                                                                                                                                                                                              |
  | - | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
  |   | The SAML Subject ID is not masked; the SAML specifications provide for either pseudonymous account linking or transient identification to support privacy for the Subject ID. For more information, see [Account linking](pf_acc_link.html). |

* SP-server processing of incoming attributes in response to an Attribute Request under X.509 Attribute Sharing Profile (XASP). For more information, see [Configuring security policy for Attribute Query](../administrators_reference_guide/help_idpxasptasklet_attrauthsecuritypolicystate.html).

  For information about XASP, see [Attribute Query and XASP](pf_attrib_query_xasp.html).

  |   |                                                                                                                                                                                                                                                                                                                                                                                                 |
  | - | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
  |   | Many adapter implementations, along with other product extensions, can independently write unmasked attribute values to the PingFederate server log. PingFederate does not control these implementations. If using such a component raises a concern about sensitive attribute values, you can adjust the component's logging threshold in `log4j2.xml` to prevent the recording of attributes. |