PingFederate records a subset of transaction log information with additional details at runtime, intended to facilitate security auditing and regulatory compliance.
The system records activities from single sign-on (SSO), single logout (SLO), OAuth, WS-Trust Security Token Service (STS), and System for Cross-domain Identity Management (SCIM) inbound provisioning transactions in the security audit log, the audit.log file, located in the <pf_install>/pingfederate/log directory. You can output security audit log information to different formats, including databases, CEF, and Splunk.
Outbound provisioning transactions are not included in the security audit log. Instead, they are recorded in the outbound provisioning audit log, the provisioner-audit.log file, located in the <pf_install>/pingfederate/log directory.
The following tables describe the default and available fields. PingFederate separates each
field by a vertical pipe (|
). As needed, fields are configurable by
editing the
<pf_install>/pingfederate/server/default/conf/log4j2.xml
file.
Field | Description |
---|---|
%d | The transaction time. |
trackingid | The tracking ID values uniquely identify user sessions, useful for correlating log messages in the audit and server logs. |
transactionid | An identifier unique to the SSO or SLO PingFederate transaction. Tip: The unique transaction ID is exposed
at the SDK level to help custom plugin implementation simplify
transaction tracking across multiple products and services.
|
event | The type of transaction. For example, SSO ,
OAuth , AUTHN_ATTEMPT ,
AUTHN_REQUEST , AUTHN_SESSION_CREATED ,
AUTHN_SESSION_USED , AUTHN_SESSION_DELETED ,
and SRI_REVOKED .
|
subject | The subject of the transaction or authentication attempt. |
ip | The incoming IP address. |
app | The target service provider (SP) application, the email verification endpoint, or the profile management page, when applicable and available. |
connectionid | The partner identifier associated with the transaction. The OAuth client ID value for OAuth transactions. The ID of the authentication policy contract referenced by the local identity profile that has been invoked for the purpose of accessing the email verification endpoint or the profile management page. |
protocol | The associated identity protocol; for example, SAML20 or
OAuth20 . |
host | The host name or IP address of the PingFederate server. |
role | The role PingFederate played for the transaction. |
status | The status of the transactions. |
adapterid | The ID of an adapter instance. Consider adding the authenticationsourceid and targetsessionid fields to record additional information about the request. |
description | The description of an authentication failure, when such information is
available from the authentication source, or an authorization failure from an
erroneous OAuth authorization request. For user sign-on events processed through an HTML form adapter, the description includes the error source and error message. Here's an example of the description when
authentication with an HTML form adapter fails because a data store locked
the user's account, where
Here's an example of the description when authentication with an HTML form adapter fails because PingFederate's Account Locking Service locked the user's account:
|
responsetime | The time elapsed in milliseconds from when the system receives a final request for a transaction, to when the system writes the audit message. This value serves as an approximation of total transaction processing time and can be useful for monitoring trends. |
Field | Description |
---|---|
accessgrantguid | The GUID of the OAuth access grant, for OAuth transactions. |
assertionid | The unique ID for the SAML assertion. |
atjti | The jti (JWT ID) of the outbound JSON Web Token (JWT) access token (when role = AS). |
attrackingid | The tracking ID for OAuth access token. You can use this ID to analyze the flow of OAuth access tokens in the audit log and between PingFederate and PingAccess. |
attributes | The user attributes received (for an SP log), sent (for an IdP log), or provided by the user through the self-service registration or profile management page. |
authenticationsourceid | An array of one or more IdP adapters, one or more IdP connections, and
identity profile, if any, invoked in an authentication or logout flow. For
example, [adapter.HTMLFormSimplePCV, idpConnection.IdP,
localIdentity.A8me9rySDn1aIM48]
|
authnsessionexpiry | The expiry of an authentication session that has just been created or used. |
connectionname | The partner name associated with the transaction. The OAuth client name for OAuth transactions. The name of the authentication policy contract referenced by the local identity profile that has been invoked for the purpose of accessing the email verification endpoint or the profile management page. |
granttype | The OAuth grant type. |
header{anHttpRequestHeader} | The HTTP request header value identified by the header name. The header
name is case-insensitive. For example, header{user-agent} and
header{User-Agent} are equivalent. To record multiple headers, repeat the header field, as illustrated in the following sample pattern.
Given this partial sample, PingFederate includes both the accept-language and dnt HTTP request header values when recording entries in the audit log. Note:
To record values from all HTTP request headers, look for the
This capability is turned off by default and is likely suitable only for testing and troubleshooting purposes. |
httprequestid | The ID of the HTTP request. This can be used for correlation across external systems (like PingDirectory) and for debugging purposes in the server log. This field is optional. |
idjti | The jti of the outbound ID token (when role = AS) or inbound ID token (when role = SP). |
inachash | The hash of the inbound authorization code (when role
= AS). Attention: This
feature should only be enabled in production environments when actively
troubleshooting authentication issues. |
inathash | The hash of the inbound access token (when role =
AS or when role =
SP). Attention: This
feature should only be enabled in production environments when actively
troubleshooting authentication issues. |
initiator | The federation role that initiated the SSO or SLO: SP or
IDP .Applicable only to SAML 2.0 transactions. |
inmessagetype | The incoming message type. Possible values are |
inresponseto | The value of the InResponseTo attribute of an SSO or SLO response. |
inxmlmsg | The incoming message. For example, a SAML AuthnRequest or the information pertaining to an OAuth request. |
inrthash | The hash of the inbound refresh token (when role =
AS). Attention: This
feature should only be enabled in production environments when actively
troubleshooting authentication issues. |
localuserid | The local ID used for the transaction, when account linking is enabled at the SP. |
outachash | The hash of the outbound authorization code (when role
= AS). Attention: This
feature should only be enabled in production environments when actively
troubleshooting authentication issues. |
outathash | The hash of the outbound access token (when role =
AS). Attention: This
feature should only be enabled in production environments when actively
troubleshooting authentication issues. |
outrthash | The hash of the outbound refresh token (when role =
AS). Attention: This
feature should only be enabled in production environments when actively
troubleshooting authentication issues. |
outurl | The URL where the protocol response was sent. For security reason, parameters and fragments are excluded. |
outxmlmsg | The outgoing message. For example, a SAML Response or the information pertaining to a response for an OAuth request. |
parameter{anHttpRequestParameter} | The value of the HTTP request parameter identified by the parameter name.
The parameter name is case-sensitive. To record multiple parameters, repeat the parameter field, as illustrated in the following sample pattern.
Given this partial sample, PingFederate includes both the foo1 and Foo3 HTTP request parameter values when recording entries in the audit log. Note:
To record values from all HTTP request parameter, look for the
This capability is turned off by default and is likely suitable only for testing and troubleshooting purposes. |
pfversion | The PingFederate version. |
requestid | The ID of a SAML request. |
requestjti | The jti(s) of the inbound JWT access token (when role = AS), inbound JWT request object (when role = AS), or outbound JWT request object (when role = SP). |
requeststarttime | The start time of the request in milliseconds since midnight, January 1, 1970 UTC. |
responseid | The ID of a SAML response. |
sessiongroupid | The internal ID for a group of persistent authentication sessions associated with a single browser instance through the PF.PERSISTENT cookie. It is only set if the request has triggered a session lookup. |
sri | The session reference identifier (SRI) for the user, which can be passed to the session revocation API to revoke the user's sessions. It is only set if the request has triggered a session lookup. |
stspluginid | The ID for the token processor or token generator instance. Applicable only to WS-Trust STS transactions. |
targetsessionid | An array of one or more SP adapters or SP connections invoked in an authentication or logout flow. |
tlsversion | The connection’s TLS version. Note:
If you deploy PingFederate behind a reverse proxy that terminates TLS connections, you can configure the proxy to forward the TLS version in a header. For more information, see the header {anHttpRequestHeader} field and description. |
trackedparameter{anHttpRequestParameter} | The value of the tracked HTTP request parameter identified by the parameter
name. The parameter name is case-sensitive. Tip:
The PingFederate policy engine is capable of tracking HTTP request parameters that it receives from the initial request and making them available to authentication sources, selector instances, and contract mappings throughout the policy. As needed, parameters can be configured as such on the Tracked HTTP Parameterswindow. For more information about tracked parameters, see Policies. To record multiple parameters, repeat the trackedparameter field, as illustrated in the following sample pattern.
Given this partial sample, PingFederate includes both the foo2 and Foo4 HTTP request parameter values when recording entries in the audit log. If the parameter, as indicated by <anHttpRequestParameter>, has not been configured as a parameter to be tracked by the policy engine, PingFederate does not record the parameter value in the audit log. |
uniqueuserkey | The unique user key tied to the user's authentication sessions. It is only set if the user authenticated using an IdP adapter that has configured a unique user key attribute. |
validatorid | The ID of the Password Credential Validator (PCV) instance, for the successful attempts. |
virtualserverid | The virtual server ID of a request, if applicable. |
calculatehash.sh/bat
script in the PingFederate
bin folder.