PingFederate Server

Runtime transaction logging

PingFederate provides for flexible, scalable logging of all federated-identity transactions, for both inbound and outbound messages.

About this task

Administrators can configure transaction logging to any of the four modes on a per-connection basis or override the logging mode for all service provider (SP) connections, identity provider (IdP) connections, or both for troubleshooting or as a one-step means of raising or lowering all connection logging modes to the same level. The log file is transaction.log, located in the <pf_install>>/pingfederate/log directory.

The following table describes the four transaction logging modes.

Mode Description

No Logging

No transaction logging.

Standard

(Default) Summary information for each transaction message, including:

  • Time stamp

  • Hostname and port

  • Log mode

  • Connection ID

  • SAML status code, for SAML responses only

  • Context

  • Message type

  • SAML ID for SAML messages only

  • Endpoint for outbound messages only

  • Target URL if single sign-on (SSO) transaction

Enhanced

Includes everything logged at the Standard level including:

  • SAML_SUBJECT*

  • Binding

  • Relay state, if available

  • Signature policy

  • Signature status

  • HTTP request parameters, for outbound messages only

  • Only when available in a SAML assertion, a single logout (SLO) request, an STS Request Security Token Response (RSTR), or an authentication request (AuthnRequest)

Full

Includes everything logged at the Enhanced level plus the complete XML message for every transaction.

Each field is separated by a vertical pipe (\|) for parsing.

Steps

  • To configure transaction logging mode on a per connection basis:

    1. Select the applicable connection on the IdP Connections page (Authentication > Integration > IdP Connections) or the SP Connections page (Applications > Integration > SP Connections).

    2. On the General Info tab, select one of the logging modes.

  • To override transaction logging mode for all IdP or SP connections:

    1. Go to System > Server > General Settings.

    2. For IdP connections, select a logging mode in the IDP Connection Transaction Logging Override list.

    3. For SP connections, select a logging mode in the SP Connection Transaction Logging Override list.

    4. Click Save.