PingFederate Server

Correlating PingFederate events with PingDirectory LDAP activities

When enabled on PingDirectory, you can correlate events in PingFederate with LDAP activities in PingDirectory by looking for the matching session and request tracking IDs in their logs.

PingFederate can receive many requests during a session. The session ID is consistent throughout a session, but the request ID is unique for every request. You can use the request ID to search for specific events within a session.

PingFederate records runtime requests in its audit log and gives them tracking IDs. When PingFederate sends an LDAP call to PingDirectory, PingFederate also sends the request’s tracking ID.

For PingFederate to send the tracking ID to PingDirectory, the Intermediate Client Request Control (OID=1.3.6.1.4.1.30221.2.5.2) must be enabled in PingDirectory. Also, there cannot be any access control instructions that prevent the PingFederate service account accessing PingDirectory from using this OID.

PingDirectory records the tracking ID as a session ID or request ID value in its access log. In the log, the ID is a property of a via element.

For example, if you see the following via elements in the PingDirectory access log, you can match them with PingFederate events by looking for session ID kkLivppizq1RvbaYBAuB1r9z-Y8' and request ID FhMl5Lz0KwsQphYUlUVHS4xkC5s in the PingFederate audit log.

via="app='PingFederate' sessionID='tid:kkLivppizq1RvbaYBAuB1r9z-Y8'"
via="app='PingFederate' requestID='tid:FhMl5Lz0KwsQphYUlUVHS4xkC5s'"

When PingFederate receives requests, it records request IDs at the DEBUG level in the server log. If the Request Header for Correlation ID field specifies a header, and the incoming request includes that header, PingFederate uses its value as the request ID.

PingFederate only uses header values that are between 1 and 50 characters long and contain alphanumeric characters, hyphens, or forward slashes. If the header is missing, invalid, or contains disallowed characters, PingFederate generates a unique request ID instead.

Learn more in General settings.