Logging attributes to audit log - SSO

Owned by ubisebastian
2021-01-19
1 min read

It is possible to nominate additional attributes to be logged in the audit log. This is useful for example when billing depends on a customer attribute or attribute received from an Identity Provider.

The attributes which are logged are defined in the uas.properties file:

/ubilogin-sso/webapps/uas/WEB-INF/uas.properties
whitelist.assertion-received = email organisation
whitelist.ticket-granted = email organisation
  • whitelist.assertion-received are attributes that are received from upstream IDP or authentication method (method attributes)
  • whitelist.ticket-granted are attributes that were sent to a connected application (Service Provider), as defined in the Authorization Policy.

The attribute names are delimited by a whitespace character.

The attribute values are logged within quotation marks (") and separated by commas. They appear before the User Agent value.

(existing audit log content),"example@example.com","Example, Inc.","Mozilla 5.0xxxxxxxxxx"

To enable the above configuration, the following commands must be run:

cd /d "C:\Program Files\Ubisecure\ubilogin-sso\ubilogin\config"
tomcat\update.cmd
net stop ubilogin-server
net start ubilogin-server

Multi-value attributes are not supported. Only the first value of a multi-value attribute will be logged.

Ubisecure Privacy Policy & Cookie Statement