The log file is line oriented, one record per line irrespective of line length, and plain text: binary data is generally omitted or represented as (safe) base64. Fields are separated by exactly one space character (0x20), except for the last free format field. Records are separated by exactly one new line (0x0a) character (never by CRLF sequence).
The log file format supports
Plain text logging
Signed plain text logging using either RSA-SHA1 or DSA-SHA1
Symmetrically encrypted logging using either 3DES or AES
Asymmetrically encrypted logging using RSA (or DSA?)
Signed and symmetrically encrypted logging
Signed and Asymmetrically encrypted logging
All activity and error log file lines have the following format (any one of the 3):
# comment SE CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC SE SIG OURTS SRCTS IP:PORT SUCCEID MID A7NID NID VVV RES OP PPP FMT
where
Log signing and encryption designator. In all cases the actual signing or encryption key is not identified on the log line. This will need to be determined out-of-band.
PlainPlain: not signed and not encrypted
RSA-SHA1 signed (x = any encryption)
DSA-SHA1 signed
SHA1 check-summed, but not signed (SSSS is the checksum)
Asymmetrically AES encrypted (x = any signing method)
Asymmetrically 3DES encrypted
Symmetrically AES encrypted (theoretical: how to safeguard the key?)
Symmetrically 3DES encrypted (theoretical: how to safeguard the key?)
Experimental arrangements.
Safe base64 encoded log encryption blob. In case of encryption blob, the rest of the log fields will not appear. Decrypted logline will contain fields starting from SSSS.
Safe base64 encoded log line signature blob. If no signature, this is a dash ("-").
Our time stamp, format YYYYMMDD-HHMMSS.TTT where TTT are the milliseconds. The time is always in GMT (UTC, Zulutime).
Source time stamp, format YYYYMMDD-HHMMSS.TTT. If TTT was not originally specified it is represented as "501". The time is always in GMT (UTC, Zulutime).
The IP address and the port number of the other end point (usually client, but could be spoofed, caveat emptor).
The SHA1 name of the entity (succinct entity ID without the equals sign).
Message ID relating to the log line. Allows message to be fetched from the database or the file system. Any relates-to or similar ID is only available by fetching the original message. Dash ("-") if none.
Assertion ID relating to the log line. Allows assertion to be fetched from the database or the file system. If message benefits from multiple assertions, this is the one relating to the outermost one. Other A7NIDs are only available by fetching the original assertion. Dash ("-") if none. If the assertion is encrypted and can not be decrypted, then placehoder "-enca7n-" is used.
IdP assigned NameID relating to the message, if any. If the NameID is encrypted and can not be decrypted, then placeholder "-encnid-" is used.
Signature validation codes
Capital Oh (not zero). All relevant signatures validate (generally assertion)
Unsupported or bad signature or message digest algorithm
Checksum of XML DSIG does not validate
The RSA layer of the signature does not validate
No signature detected.
Issuer metadata not found (or not in CoT, or corrupt metadata).
Assertion validity error (e.g. not in time range or wrong audience)
Operation failed or faulted by error code (low level protocol ok)
Extended signature validation code (generally failure)
Experimental signature validation code (generally failure)
Result of the operation.
Operation was success
Operation failed because client did not provide valid input
Operation failed due to server side error
Operation failed due to policy or permissions issue
Temporary error, client was encouraged to retry
Metadata related error (no metadata or parse error in metadata)
Redirect or recredential. Client was encouraged to retry.
Way point message. Neither success nor failure.
Extended result (generally failure)
Experimental result (generally failure)
The documented operation
Federation and SSO request succeeded, new federation was created.
SSO using federated ID was performed
SSO using temporary NameID was performed
Single Logout was completed
Defederation was performed
Server configuration (/var/zxid/zxid.conf) is bad
No metadata found after options exhausted (cache, fetch from net)
Metadata parsing error
XML parsing error in protocol
SAML call failed (often SOAP call)
Other error
For WSP the OP is the command verb that was exercised.
For WSC the OP is the command verb preceded by capital C, e.g. "CQuery".
Additional OP verbs may need to be specified for protocol substeps like artifact resolution (ART) and direct authentication (AUTH).
Artifact resolution request sent with SOAP (1)
Redirection with Authentication Request
Local Logout (1)
Redirection with Single Logout Request
Redirection with Manage NameID Request for changing NameID
Redirection with Manage NameID Request for defederation
Single Logout Request SOAP call made
Manage NameID Request for changing NameID SOAP call
Manage NameID Request for defederation SOAP call
SAML call OK (often SOAP call)
Additional OP verbs may need to be specified for other logging operations like regular web access logs (HEAD, GET, POST).
IdP Selection screen is shown (2)
Management screen is shown (2)
Logged in (by SSO or session). Show protected content. arg is sid. (1)
SP Command Dispatch (received POST or redir) (2)
My metadata was served to requester on the net (1)
Getting metadata from net (2)
Got metadata from net (1)
Unknown CGI options (0, but not implemented yet)
Operation dependent one most relevant parameter. Dash ("-") if none.
Operation dependent free-form data. May contain spaces. Dash ("-") if none.