By: Vipin Jain named 07 Aug 2017 at 7:36 a.m. CDT

9 Responses
Vipin Jain gravatar
Hello Team, We are configuring Gluu Logs to talk to our SIEM tool and wanna see if we can capture a LDAP Attribute as part of the OXAuth logs for success/fail users (valid username) Can you please help here? Thanks

By Mohib Zico staff 07 Aug 2017 at 10 a.m. CDT

Mohib Zico gravatar
For oxAuth.. it's called 'scope' ( OpenID connect name of attributes ). By default, there are four scopes included: openid, profile, email and user_name. You can grab that 'user_name' ( or.. User ) from oxauth.log. Here is a sample 'Successful authentication' log: ``` 2017-08-07 14:57:38,611 INFO [qtp242131142-13] [org.xdi.oxauth.service.AuthenticationService] (AuthenticationService.java:519) - Attempting to redirect user: SessionUser: SessionState, dn='oxAuthSessionId=8cde3049-7898-4ef8-8d8c-e3345630de79,ou=session,o=@!F6A8.5900.F24B.2584!0001!8C21.4A85,o=gluu', id='8cde3049-7898-4ef8-8d8c-e3345630de79', isJwt=false, lastUsedAt=Mon Aug 07 14:57:38 UTC 2017, userDn='inum=@!F6A8.5900.F24B.2584!0001!8C21.4A85!0000!A8F2.DE1E.D7FB,ou=people,o=@!F6A8.5900.F24B.2584!0001!8C21.4A85,o=gluu', authenticationTime=Mon Aug 07 14:57:38 UTC 2017, state=authenticated, permissionGranted=null, permissionGrantedMap=org.xdi.oxauth.model.common.SessionIdAccessMap@2845e577, sessionAttributes={auth_step=1, acr=auth_ldap_server, remote_ip=192.168.0.102, scope=openid profile email user_name, acr_values=auth_ldap_server, response_type=code id_token, redirect_uri=https://allinone3.gluu.org/identity/authentication/authcode, nonce=nonce, client_id=@!F6A8.5900.F24B.2584!0001!8C21.4A85!0008!1EA6.ABAE, auth_user=admin}, persisted=true} 2017-08-07 14:57:38,616 INFO [qtp242131142-13] [org.xdi.oxauth.service.AuthenticationService] (AuthenticationService.java:527) - Attempting to redirect user: User: org.xdi.oxauth.model.common.User@52838282 2017-08-07 14:57:38,634 INFO [qtp242131142-13] [org.xdi.oxauth.auth.Authenticator] (Authenticator.java:323) - Authentication success for User: 'admin' 2017-08-07 14:57:40,352 INFO [qtp242131142-18] [org.xdi.oxauth.auth.Authenticator] (Authenticator.java:189) - Authentication success for Client: '@!F6A8.5900.F24B.2584!0001!8C21.4A85!0008!1EA6.ABAE' ```

By Vipin Jain named 07 Aug 2017 at 12:15 p.m. CDT

Vipin Jain gravatar
Hello Gluu Team, Thanks for the update. We need to add couple of LDAP attributes as part of below log so that SIEM tool can coorelate the logs. Can you please help. 2017-08-07 14:57:38,611 INFO [qtp242131142-13] [org.xdi.oxauth.service.AuthenticationService] (AuthenticationService.java:519) - Attempting to redirect user: SessionUser: SessionState, dn='oxAuthSessionId=8cde3049-7898-4ef8-8d8c-e3345630de79,ou=session,o=@!F6A8.5900.F24B.2584!0001!8C21.4A85,o=gluu', id='8cde3049-7898-4ef8-8d8c-e3345630de79', isJwt=false, lastUsedAt=Mon Aug 07 14:57:38 UTC 2017, userDn='inum=@!F6A8.5900.F24B.2584!0001!8C21.4A85!0000!A8F2.DE1E.D7FB,ou=people,o=@!F6A8.5900.F24B.2584!0001!8C21.4A85,o=gluu', authenticationTime=Mon Aug 07 14:57:38 UTC 2017, state=authenticated, permissionGranted=null, permissionGrantedMap=org.xdi.oxauth.model.common.SessionIdAccessMap@2845e577, sessionAttributes={auth_step=1, acr=auth_ldap_server, remote_ip=192.168.0.102, scope=openid profile email user_name, acr_values=auth_ldap_server, response_type=code id_token, redirect_uri=https://allinone3.gluu.org/identity/authentication/authcode, nonce=nonce, client_id=@!F6A8.5900.F24B.2584!0001!8C21.4A85!0008!1EA6.ABAE, auth_user=admin}, persisted=true} Thanks

By Mohib Zico staff 07 Aug 2017 at 1:03 p.m. CDT

Mohib Zico gravatar
You need to play with scope,claim and client. Something like: - Create new scope - Add claims ( that attribute you want ) - Release that scope in corresponding openid client. Out of curiosity, what are you actually trying to achieve with more 'ldap attributes' ?

By Vipin Jain named 07 Aug 2017 at 1:12 p.m. CDT

Vipin Jain gravatar
I am trying to get more details of user's from LDAP attributes in Logs so that my SIEM can read the logs and get more meaningful dashboards out of it. Why do i need to work on OpenID client, I am doing this for all SAML apps transactions?

By Mohib Zico staff 07 Aug 2017 at 1:15 p.m. CDT

Mohib Zico gravatar
>> Why do i need to work on OpenID client, I am doing this for all SAML apps transactions? Because, you asked about 'oxAuth' :-)

By Vipin Jain named 07 Aug 2017 at 1:17 p.m. CDT

Vipin Jain gravatar
Yes, because all the logs for authentication is in OXAuth logs for any SAML app transactions also.

By Mohib Zico staff 07 Aug 2017 at 1:18 p.m. CDT

Mohib Zico gravatar
Cool, you answered your question. Yes, authentication is all about oxAuth. After successful authentication with primary attribute and password; for SAML apps... rest logging goes into idp-process.log.

By Vipin Jain named 07 Aug 2017 at 1:20 p.m. CDT

Vipin Jain gravatar
Yes, i saw idp-process.log too but the issue is that debug logs are written in individual lines. Can we get the log output as a single line with the complete SAML XML file being sent over? Thanks

By Mohib Zico staff 07 Aug 2017 at 1:31 p.m. CDT

Mohib Zico gravatar
I think you can achieve that with simple python script; nothing available in log4j or logging.xml for that, IMO.