8 Monitoring Oracle Identity Federation

This chapter describes how to monitor Oracle Identity Federation. Topics include:

• About Oracle Identity Federation Monitoring

• Monitoring Console

• Archiving Metrics

8.1 About Oracle Identity Federation Monitoring

Oracle Identity Federation administrators can derive several important benefits from the ability to monitor key aspects of their federation server deployment. Oracle Identity Federation real-time monitoring features enable you to:

• measure application performance

• observe application usage patterns

• detect potential security issues

• monitor availability and other aspects of server operation

This section contains these topics:

• Metrics

• Monitoring Components

• Monitoring Data Flow

8.1.1 Metrics

Oracle Identity Federation Monitoring provides the administrator with a number of metrics collected from a site's different server instances:

• Current Oracle Identity Federation server availability (Up/Down)

• Server availability over a user-defined time period

• Authentication requests sent by the service provider over a user-defined time period, categorized by:

  • total number of authentication requests sent

  • total successful requests

  • total failed requests

• Authentication requests received by the identity provider over a user-defined time period, categorized by:

  • total number of authentication requests received

  • total successful requests

  • total failed requests

• Name identifier registration requests sent by the identity provider over a user-defined time period, categorized by:

  • total number of name identifier registration requests sent

  • total successful requests

  • total failed requests

• Name identifier registration requests received by the identity provider over a user-defined time period, categorized by:

  • total number of name identifier registration requests received

  • total successful requests

  • total failed requests

• Name identifier registration requests sent by the service provider over a user-defined time period, categorized by:

  • total number of name identifier registration requests sent

  • total successful requests

  • total failed requests

• Name identifier registration requests received by the service provider over a user-defined time period, categorized by:

  • total number of name identifier registration requests received

  • total successful requests

  • total failed requests

• Federation termination requests sent by the identity provider over a user-defined time period, categorized by:

  • total number of federation termination requests sent

  • total successful requests

  • total failed requests

• Federation termination requests received by the identity provider over a user-defined time period, categorized by:

  • total number of federation termination requests received

  • total successful requests

  • total failed requests

• Federation termination requests sent by the service provider over a user-defined time period, categorized by:

  • total number of federation termination requests sent

  • total successful requests

  • total failed requests

• Federation termination requests received by the service provider over a user-defined time period, categorized by:

  • total number of federation termination requests received

  • total successful requests

  • total failed requests

The degree of aggregation depends on the type of information being presented. Some data is specific to a server instance, other data may apply to a server acting in a specific role such as Identity Provider, and still other data may be aggregated across all server instances.

8.1.2 Monitoring Components

Oracle Identity Federation monitoring components include:

1. Metrics Collection Engine

   Consisting of program logic that provides a framework for metric collection, this component is responsible for tracking and caching the metrics generated by an Oracle Identity Federation instance. Events such as requests, responses, and errors provide the inputs for metrics collection.

2. Data Transfer Module

   This tool formats the collected data into an appropriate format and makes it available for use by other monitoring components.

3. Monitoring Agent

   The Monitoring Agent periodically requests data from various Oracle Identity Federation instances. The agent consults a configuration file to determine which instances are to be queried, and the query interval. It then issues the appropriate requests to the data transfer modules of the relevant instances.

   Data collected by the Monitoring Agent is written to an in-memory cache. The data is also archived to a log file.

4. Monitoring Console

   The Monitoring Console is the interface that Oracle Identity Federation administrators use to view the collected metrics.

5. Archive Log

   This component allows the Monitoring Agent to save metrics to disk.

Metrics collection, handling, and transfer components reside in individual Oracle Identity Federation instances. The Monitoring Agent and Monitoring Console are bundled together as a separate J2EE application.

8.1.3 Monitoring Data Flow

Figure 8-1 shows how requests, metrics, and supporting data flows between and is used by the Monitoring Agent, Monitoring Console, and other Oracle Identity Federation components.

Figure 8-1 Data Flow Among Monitoring Components

The flow of data can be described as follows:

1. The Monitoring Agent periodically sends HTTP requests to Oracle Identity Federation.

2. Individual instances of Oracle Identity Federation utilize the data collection and formatting modules to gather and return their respective federation statistics to the Monitoring Agent.

3. The Monitoring Agent writes the data retrieved from Oracle Identity Federation to an in-memory cache.

4. The Monitoring Agent retrieves data from the in-memory cache when it needs to send the data to the Monitoring Console to satisfy a user request.

5. The Monitoring Agent writes the data retrieved from Oracle Identity Federation to a log file for archival purposes.

6. In the future, the Monitoring Agent will also be able to retrieve data from log files and send it to the Monitoring Console to satisfy user requests.

7. The Monitoring Console queries the Monitoring Agent for a specific set of metrics collected by Oracle Identity Federation.

8. The Monitoring Agent retrieves data from the cache (Step 4) and sends a set of metrics satisfying the query back to the Monitoring Console, where it is displayed to the user.

8.2 Monitoring Console

The Oracle Identity Federation Monitoring Console provides the following types of metrics for server administrators:

• Server availability metrics

• Protocol metrics on requests sent and received by providers, including:

  • Authentication requests

  • NameID requests

  • Federation termination requests

See Also: For a complete list of available metrics, see "Metrics" .

This section describes and provides examples of the Monitoring Console pages:

• Accessing the Console

• Monitor Agent Home

• Monitor Agent IdP Statistics Home

• Monitor Agent IdP Statistics (SSO)

• Monitor Agent IdP Statistics (Identity Federation)

• Monitor Agent IdP Statistics (Peer Provider)

• Monitor Agent SP Statistics Home

• Monitor Agent SP Statistics (SSO)

• Monitor Agent SP Statistics (Identity Federation)

• Monitor Agent SP Statistics (Peer Provider)

• Metric Display at the Console

8.2.1 Accessing the Console

To log into Oracle Identity Federation Monitoring Console:

1. On all platforms, start the login process by pointing your browser to the login URL:

   http://machine-name:open-port/fedmon

2. Log in to the Monitoring Console by entering the username oif_mon and the password supplied during installation.

8.2.1.1 Monitoring Agent Home Tab

The home page for the Oracle Identity Federation Monitoring Console contains a Monitored Installations table, which displays a list of all monitored server instances.

See Also: "Monitor Agent Home" for details

Monitoring Console Metrics Page

Selecting a server instance takes you to the metrics pages of the Oracle Identity Federation Monitoring Console for that instance. Each metrics page consists of two panels. The top panel allows you to compose a metric query. The bottom panel displays the results.

The different metrics pages are described in "Monitor Agent Home".

8.2.1.2 Monitoring Agent Configuration Tab

The Configuration tab allows you to monitor additional server instances and to maintain currently monitored installations.

See "Managing Monitored Installations" for details.

8.2.2 Monitor Agent Home

The home page is the starting point for monitoring Oracle Identity Federation. It contains:

• The current status of the Monitor Agent - running or stopped. Click the button to change the status of the Monitor Agent.

• A table showing the installations being monitored by the agent. Click on the link in the Identity Provider or Service Provider column to view statistics for that role.

8.2.3 Monitor Agent IdP Statistics Home

This is the home page for viewing identity provider statistics for an installation.

Fields at the top of the page let you control chart parameters:

• Begin Date is the start date and time of the monitored period.

• End Date is the end date and time of the monitored period.

Click the Apply button to refresh the display using the specified parameters.

8.2.4 Monitor Agent IdP Statistics (SSO)

This page displays authentication requests received by an identity provider in a specified period. The server instance ID and the role (IdP) are displayed at the top of the page.

Fields at the top of the page let you control chart parameters:

• Begin Date is the start date and time of the monitored period.

• End Date is the end date and time of the monitored period.

• Plot Interval is the interval, in minutes, to use for the chart's horizontal axis.

Click the Apply button to refresh the display using the specified parameters.

The chart shows total, successful, and failed requests in the period.

8.2.5 Monitor Agent IdP Statistics (Identity Federation)

This page displays Register NameID and Federation Termination requests sent to and received by an identity provider in a specified period. The server instance ID and the role (IdP) are displayed at the top of the page.

Fields at the top of the page let you control chart parameters:

• Begin Date is the start date and time of the monitored period.

• End Date is the end date and time of the monitored period.

• Plot Interval is the interval, in minutes, to use for the chart's horizontal axis.

Click the Apply button to refresh the display using the specified parameters.

The charts show Register NameID and Federation Termination requests sent and received in the period.

8.2.6 Monitor Agent IdP Statistics (Peer Provider)

This page displays summary statistics about requests exchanged between an identity provider and peer providers in the circle of trust in a specified period. The server instance ID and the role (IdP) are displayed at the top of the page.

Fields at the top of the page let you control chart parameters:

• Begin Date is the start date and time of the monitored period.

• End Date is the end date and time of the monitored period.

Click the Apply button to refresh the display using the specified parameters.

The display includes this information about requests exchanged with peer providers:

• Federation termination requests sent and received.

• NameID requests sent and received.

• Authentication requests received.

8.2.7 Monitor Agent SP Statistics Home

This is the home page for viewing service provider statistics for an installation.

Fields at the top of the page let you control chart parameters:

• Begin Date is the start date and time of the monitored period.

• End Date is the end date and time of the monitored period.

Click the Apply button to refresh the display using the specified parameters.

8.2.8 Monitor Agent SP Statistics (SSO)

This page displays authentication requests sent by a service provider in a specified period. The server instance ID and the role (SP) are displayed at the top of the page.

Fields at the top of the page let you control chart parameters:

• Begin Date is the start date and time of the monitored period.

• End Date is the end date and time of the monitored period.

• Plot Interval is the interval, in minutes, to use for the chart's horizontal axis.

Click the Apply button to refresh the display using the specified parameters.

The chart shows total, successful, and failed requests in the period.

8.2.9 Monitor Agent SP Statistics (Identity Federation)

This page displays Register NameID and Federation Termination requests sent to and received by a service provider in a specified period. The server instance ID and the role (SP) are displayed at the top of the page.

Fields at the top of the page let you control chart parameters:

• Begin Date is the start date and time of the monitored period.

• End Date is the end date and time of the monitored period.

• Plot Interval is the interval, in minutes, to use for the chart's horizontal axis.

Click the Apply button to refresh the display using the specified parameters.

The charts show Register NameID and Federation Termination requests sent and received in the period.

8.2.10 Monitor Agent SP Statistics (Peer Provider)

This page displays summary statistics about requests exchanged between a service provider and peer providers in the circle of trust in a specified period. The server instance ID and the role (SP) are displayed at the top of the page.

Fields at the top of the page let you control chart parameters:

• Begin Date is the start date and time of the monitored period.

• End Date is the end date and time of the monitored period.

Click the Apply button to refresh the display using the specified parameters.

The display includes this information about requests exchanged with peer providers:

• Federation termination requests sent and received

• NameID requests sent and received

• Authentication requests sent

8.2.11 Metric Display at the Console

The metrics display at the Monitoring Console can be controlled in these ways:

• Refreshing the browser.

• Clicking the Apply button located under the Chart Parameters section of the display.

• Changing the Begin and End Date chart parameters to vary the period included in the display, and clicking Apply.

• Changing the Plot Interval chart parameter on time series charts to change the chart granularity.

For example, here is a display of authentication requests received at an IdP, using a 5 minute plot interval:

And the same chart using a 1 minute plot interval:

8.3 Managing Monitored Installations

The Configuration tab of the Oracle Identity Federation Monitoring Agent allows you to monitor additional server instances and to maintain currently monitored installations.

You configure the monitoring agent with these pages:

• Monitored Installations

• Statistics Repository

8.3.1 Monitored Installations

The Monitored Installations page displays the Oracle Identity Federation instances being monitored by the Monitoring Agent.

Installation ID

This is the server's installation ID. Any user-friendly identifier can be chosen, since the entry does not need to correspond to any configured value such as a server ID.

Federation Server URL

This is the Oracle Identity Federation server URL, and is based on the following template:

http(s)://hostname:port

Identity Provider (IdP) Enabled

Indicates whether IdP monitoring of this instance is enabled at the Monitoring Agent site.

Service Provider (SP) Enabled

Indicates whether SP monitoring of this instance is enabled at the Monitoring Agent site.

Actions

Buttons on this page provide the following functions:

• Remove - removes this server from the list of monitored servers.

• Update - updates the server information.

• Add - allows you to add another server to be monitored.

8.3.2 Statistics Repository

This page allows you to view and update information about the monitoring statistics repository.

Statistics Repository Archive Location

This is the location on disk where the repository resides.

Statistic Repository Cache Duration

This is the time, in minutes, that the repository data is maintained before being flushed from cache.

Data Collection Interval

This is the frequency, in minutes, at which the monitoring agent collects data for the monitored servers.

Actions

Buttons on this page provide the following functions:

• Save - updates the repository information.

• Reset - resets the original values that were displayed on the screen before you made any changes.

8.4 Archiving Metrics

To set up metrics archival, you use the Statistics Repository page of the Oracle Identity Federation Monitor Agent Configuration tab. The relevant fields are:

• Statistics Repository Archive Location - specify the location of the archive file on disk.

• Statistic Repository Cache Duration - specify the interval, in minutes, after which the data present in the cache is discarded.

  
  

  Note: Newly collected data is written simultaneously to both the cache (memory) and the archive (disk), but data is never transferred from the cache to the archive.

  
  

• Data Collection Interval - enter the frequency, in minutes, at which the monitoring agent should collect data for the monitored servers.