fticks:Fticks

Log statistics in the F-ticks federation log format .

The filter aims to produce as many F-ticks attributes as possible, irrespective of whether SimpleSAMLphp is acting as an identity provider or a SAML service provider.

Configuration

The filter supports the following configuration options:

federation
F-ticks federation identifier. Specifying a federation identifier is mandatory , and the filter will generate an exception if one is not given.
salt
A salt used to preserve the privacy of the F-ticks PN attribute. If not specified, the secretsalt from the main config is used.
identifyingAttribute
The SAML attribute specifying the user id. It is mandatory
realm
The SAML attribute specifying the user's realm. If not specified, the F-ticks REALM attribute is not generated.
algorithm
The hash algorithm to use. Defaults to sha256 , but any algorithm supported by PHP can be used.
exclude
An array of F-ticks attributes to exclude/filter from the output.
logdest
Destination for F-ticks logs. Must be one of the following options:
logconfig
An array of configuration options for the logging method. The exact values supported depend on the specific logdest , but the following are understood:

Note that if logdest is local and you set either processname or facility to a value that's different to what is in SimpleSAMLphp's global config, you may end up with inconsistent output from SimpleSAMLphp's own logging. This is because PHP's openlog function does not return a handle.

Examples

In its simplest form, the filter is configured like this:

    'authproc' => [
        50 => [
            'class' => 'fticks:Fticks',
            'federation' => 'ACME',
        ],
    ],

A more complete example looks like:

    'authproc' => [
        50 => [
            'class' => 'fticks:Fticks',
            'federation' => 'ACME',
            'salt' => 'someVerySecretStringDifferentFromTheDefault',
            'identifyingAttribute' => 'eduPersonPrincipalName',
            'realm' => 'schacHomeOrganization',
            'algorithm' => 'sha512',
            'exclude' => ['PN'],
        ],
    ],

Remote logging can be done like this:

    'authproc' => [
        50 => a[
            'class' => 'fticks:Fticks',
            'federation' => 'ACME',
            'logdest' => 'remote',
            'logconfig' => [
                'host' => '90.147.166.156',
                'port' => 514,
            ],
        ],
    ],

F-ticks output

The filter is capable of generating the following F-ticks attributes: AP, AM, CSI, PN, REALM, RESULT, RP, TS.

The following notes document how some of these attributes are generated/derived:

AM
The authentication method is derived from the SP's SAML state. If that is not available, is set to urn:oasis:names:tc:SAML:2.0:ac:classes:Password when one of the authentication sources based on the UserPassBase class.
CSI
The calling station identifier is set to the SimpleSAMLphp tracking id (same as logs)
PN
The PN is generated in a similar way too, but completely independently from a saml:PersistentNameID .
RESULT
Result is always set to OK , since if the authentication fails, the authproc filter is never called.
TS
The timestamp is set to the SAML AuthNInstant if that is known, or the current time otherwise.