Overview
We have a customer that aggregates all their SiteMinder audit logs using a log parser tool named NxLog. It is configured to parse the smaccess.log and send the data to a centralized Syslog server. By default, SiteMinder will not include any details about the SAML assertion generation. The following line is the default output for a SAML assertion generation in the smaccess log:
AssertionGenerate sis-pol-svr-02 [25/Feb/2021:20:41:32 -0500] " " " " [] [0] [] []
Unfortunately, this line provides very little information about the SAML assertion. There is no way to determine which user triggered this generation and there is no way to know what the destination of the user will be. To make the data more useful, our customer wanted to have more details about these AssertionGenerate events.
Enable Enhanced Auditing for SAML Assertion
To enable enhanced auditing for SAML assertions, you must edit the following registry:
/HKEY_LOCAL_MACHINE/SOFTWARE/NETEGRITY/SiteMinder/CurrentVersion/Reports
Once in the “Reports” registry key, add a new DWORD(32 Bit) attribute named “Enable Enhance Tracing”. The following values for this attribute are valid:
0 – Disable enhanced auditing
1 – Enables enhanced auditing
2 – Logs assertion attributes
3 – Logs assertion attributes and the authentication method for the resource
4 – Logs assertion attributes, the authentication method, and Enhanced Session Assurance with DeviceDNA information.
Finally, save the registry changes and restart the policy server service.
To suit this customer’s needs, we used ‘3’ for the trace level value. The following is the new log entry associated with a SAML assertion being generated:
[Auth][AssertionGenerate][][sis-pol-svr-02][25/Feb/2021:20:54:32 -0500][][][][][][][][][][][][][][][][][][][][][_fe79b2728181001e1a5ab118dcfb37eca9af][fedsvcs.sisuniversity.com.instructorservices][https://instructorservices.sisuniversity.com/login?so=00Df40000002OWn&sc=0LEf4000000Y0G3][urn:oasis:names:tc:SAML:2.0:status:Success][25/Feb/2021:20:54:01 -0500][25/Feb/2021:20:56:01 -0500][25/Feb/2021:20:54:30 -0500][25/Feb/2021:20:56:01 -0500][urn:oasis:names:tc:SAML:2.0:ac:classes:Password][SAML 2.0][UserName=MathTeacher01;Email=credentialing@office365.com;UserLastName=DOE;UserFirstName=John;InstructorRecordAccess=0f9d2f36-1734-4409-81b5-ac658e9dff0d;InstructorRoleAccess=0f9d2f36-1734-4409-81b5-ac658e9dff0d:33dd3d14][][][SAML 2.0]The table below shows the data that is contained in the log entry:
| Attribute | Data |
| Transaction Type | Auth |
| Action | AssertionGenerate |
| Policy Server | sis-pol-svr-02 |
| Date / Time | 25/Feb/2021:20:54:32 -0500 |
| Transaction ID | _fe79b2728181001e1a5ab118dcfb37eca9af |
| SPID | fedsvcs.sisuniversity.com.instructorservices |
| Destination URL | https://instructorservices.sisuniversity.com/login?so=00Df40000002OWn&sc=0LEf4000000Y0G3 |
| SAML Transaction Binding | urn:oasis:names:tc:SAML:2.0:status:Success |
| Before Skew | [25/Feb/2021:20:54:01 -0500] [25/Feb/2021:20:56:01 -0500] |
| After Skew | [25/Feb/2021:20:54:30 -0500] [25/Feb/2021:20:56:01 -0500] |
| Auth Type | urn:oasis:names:tc:SAML:2.0:ac:classes:Password |
| SAML Version | SAML 2.0 |
| SAML Attribute: #1 | UserName=MathTeacher01 |
| SAML Attribute: #2 | Email=credentialing@office365.com |
| SAML Attribute: #3 | UserLastName=DOE |
| SAML Attribute: #4 | UserFirstName=John |
| SAML Attribute: #5 | InstructorRecordAccess=0f9d2f36-1734-4409-81b5-ac658e9dff0d |
| SAML Attribute: #6 | InstructorRoleAccess=0f9d2f36-1734-4409-81b5-ac658e9dff0d:33dd3d14 |
| SAML Version | SAML 2.0 |
As always, we hope that you have found this information useful. If you need IAM assistance, reach out to SIS today and we would be happy to assist you. And subscribe to our newsletter to be notified about the posting of future articles and other SIS news.
