Customizing Identity provider Logs

The Identity Provider uses the Logback logging system. The Logback manual provides an exhaustive set of directions and available options that may be configured. This document does not attempt to replicate this information but instead provides Shibboleth specific information, as it pertains to logging, and instructions for performing simple, common, tasks.

Logging Configuration

The logging configuration for the IdP is located at $IDP_HOME/conf/logging.xml. This file is checked for changes every 5 minutes and is reloaded if changes have been made. This means a deployer can keep the logging level at WARN until a problem occurs and then change the logging to DEBUG to get more information if the problem persists, all without restarting the IdP.

Useful Loggers

The following, coarse grained, loggers provide useful information in most situations:

Category

Description

Shibboleth-Access

The logger to which shibboleth access messages (think HTTP access logs) are written

Shibboleth-Audit

The logger to which shibboleth audit messages are written

org.opensaml

Messages related only to receiving, parsing, evaluating security of, producing, and encoding SAML messages.

edu.internet2.middleware.shibboleth

Messages related to all the non-SAML message parsing/encoding work; profile handling, authentication, attribute resolution and filtering

edu.internet2.middleware.shibboleth.idp

IdP messages related only to authentication

edu.internet2.middleware.shibboleth.common.attribute

IdP messages related only to attribute resolution and filtering