At runtime PingFederate logs user attributes (see PingFederate log files). To preserve user privacy, you may wish to mask the values of logged attributes.

PingFederate provides this masking capability at all points where the server logs attributes. These points include:

  • Datastore lookup at either the IdP or SP site (see Managing datastores).
  • Retrieval of attributes from an IdP adapter or token processor (see Setting pseudonym and masking options and Setting attribute masking).
  • SP-server processing of incoming attributes based on the SSO attribute contract, (see Defining an attribute contract).

    Note that the SAML Subject ID is not masked: the SAML specifications provide for either pseudonymous account linking or transient identification to support privacy for the Subject ID (see Account linking).

  • SP-server processing of incoming attributes in response to an Attribute Request under XASP (see Configuring security policy for Attribute Query).

    For information about XASP, see Attribute Query and XASP.


    Many adapter implementations, as well as other product extensions, may independently write unmasked attribute values to the PingFederate server log. These implementations are beyond the control of PingFederate. If sensitive attribute values are a concern when using such a component, a system administrator can adjust the component's logging threshold in log4j2.xml to prevent the recording of attributes.