For more information about log files, see PingFederate log files. PingFederate provides this masking capability at all points where the server logs attributes. These points include:

  • Datastore lookup at either the identity provider (IdP) or service provider (SP) site. For more information, see Datastores.
  • Retrieval of attributes from an IdP adapter or token processor. For more information, see Setting pseudonym and masking options and Setting attribute masking.
  • SP-server processing of incoming attributes based on the single sign-on (SSO) attribute contract. For more information, see Defining an attribute contract.

    The SAML Subject ID is not masked; the SAML specifications provide for either pseudonymous account linking or transient identification to support privacy for the Subject ID. For more information, see Account linking.

  • SP-server processing of incoming attributes in response to an Attribute Request under X.509 Attribute Sharing Profile (XASP). For more information, see Configuring security policy for Attribute Query.

    For information about XASP, see Attribute Query and XASP.


    Many adapter implementations, along with other product extensions, can independently write unmasked attribute values to the PingFederate server log. PingFederate does not control these implementations. If using such a component raises a concern about sensitive attribute values, you can adjust the component's logging threshold in log4j2.xml to prevent the recording of attributes.