7 Diagnostics and Auditing

This chapter describes Oracle Enterprise Manager Fusion Middleware Control monitoring and logging features for Oracle Identity Federation. It contains these sections:

Monitoring
Availability
Logging
Auditing

Note:

Liberty 1.x support is deprecated.

7.1 Monitoring

This section describes how to monitor your Oracle Identity Federation server.

Oracle Identity Federation Home Page
Performance Summary

7.1.1 Oracle Identity Federation Home Page

This is the home page for your Oracle Identity Federation server instance.

Surrounding text describes oifhome2.gif.

This page summarizes statistics about the server instance. For details about the metrics shown here, see Section 7.1.2, "Performance Summary".

7.1.2 Performance Summary

Oracle Identity Federation provides a number of built-in metrics to enable application developers, system administrators, and others to measure application-specific performance information. Metrics for system, state, and phase events are available in these functional areas:

Protocol Profiles
Enterprise Data Tier Connectivity
Security Protocol Messages
Data Model (JVT DiscoveryProviders)

This section contains these topics:

About Sensor Weights
Event Metrics
State Events
Phase Events

7.1.2.1 About Sensor Weights

The DMS sensor weight is a setting on the managed server on which Oracle Identity Federation is running; the sensor weight determines which metrics you see:

all - all sensors are activated.
normal (or no weight value set) - all the sensors at the normal level are activated
heavy - all the sensors at the default level and at the heavy level are activated
None - none of the sensors is activated.

Given the cost of running expensive instrumentation, setting the sensor weight to conditionally activate only the necessary sensors lets you efficiently collect relevant metric data about the server.

Set the Sensor Weight

If you start Oracle WebLogic Server using the administration console, set the -Doracle.dms.sensors=level property in the servers/serverName/server start/arguments section of the server, where level is one of the sensor levels described above.

If you start Oracle WebLogic Server through a script, set the -Doracle.dms.sensors=level property in the domain_home/bin/startManagedWebLogic.sh script.

7.1.2.2 Event Metrics

This section contains these topics:

Protocol Profiles
Security Processing

Note:

In the table, the Label and Description refers to the short label attached to the metric in Fusion Middleware Control, followed by a description of the metric.

7.1.2.2.1 Protocol Profiles

Table 7-1 shows the protocol profile metrics:

Table 7-1 Protocol Profile Events

Name	Label, Description	Weight
Requests	HTTP and SOAP Requests Total number of requests received. This is the addition of the RequestsHTTP and RequestsSOAP request messages.	normal
RequestsHTTPRedirect	HTTP Requests using Redirect Binding Total number of requests sent or received using HTTP Redirect binding.	normal
RequestsHTTPPOST	HTTP Requests using POST Binding Total number of requests sent or received using HTTP-POST binding.	normal
RequestsHTTPPOSTSimpleSign	HTTP Requests using POST Simple Sign Binding Total number of requests sent or received using HTTP-POST Simple Sign binding.	normal
RequestsSOAP	SOAP Requests Total number of requests sent or received using the SOAP binding.	normal
WellFormedRequests	Received XML Requests successfully parsed Total number of well-formed requests received, that is, those that resulted in no XML translation errors.	normal
BadlyFormedRequests	Received XML Requests with parsing failures Total number of badly formed requests, that is, those that resulted in XML translation errors.	normal
SignedRequests	Requests signed Total number of requests sent or received with message level signatures.	normal
EncryptedRequests	Requests encrypted Total number of requests sent or received with message level encryption.	normal
SignedAndEncryptedRequests	Requests both signed and encrypted Total number of requests sent or received with message level signatures and encryption.	normal
Responses	HTTP or SOAP Responses Total number of responses sent or received. This is the sum of the ResponsesHTTP and ResponsesSOAP response messages.	normal
ResponsesHTTPRedirect	HTTP Responses using Redirect Binding Total number of responses sent or received using HTTP Redirect binding.	normal
ResponsesHTTPPOST	HTTP Responses using POST Binding Total number of responses sent or received using HTTP-POST binding.	normal
ResponsesHTTPPOSTSimpleSign	HTTP Responses using POST Simple Sign Binding Total number of responses sent or received using HTTP-POST Simple Sign binding.	normal
ResponsesSOAP	SOAP Responses Total number of responses sent or received using the SOAP binding.	normal
ErrorResponses	Error Responses Total number of responses sent or received with error status	normal
SignedResponses	Responses Signed Total number of responses sent or received with message level signatures	normal
EncryptedResponses	Responses Encrypted Total number of responses sent or received with message level encryption	normal
SignedAndEncryptedResponses	Response both Signed and Encrypted Total number of responses sent or received with message level signatures and encryption	normal
AttributeQueryRequests	AttributeQuery Requests Total number of `<AttributeQuery>` requests sent by the SP or received by the IDP.	normal
AttributeQueryResponses	AttributeQuery Responses Total number of `<Response>` responses sent by the IDP or received by the SP.	normal
AttributeQueryErrorResponses	AttributeQuery Error Responses Total number of `<Response>` error responses sent by the IDP or received by the SP.	normal
AuthnRequestRequests	AuthnRequest Requests Total number of `<AuthnRequest\| Request>` requests sent by the SP or received by the IDP.	normal
AuthnRequestResponses	AuthnRequest Responses Total number of `<Response\|AuthnResponse>` responses sent by the IDP or received by the SP.	normal
AuthnRequestErrorResponses	AuthnRequest Error Responses Total number of `<Response\| AuthnResponse >` error responses sent by the IDP or received by the SP.	normal
SecurityTokenResponses	RequestSecurityToken Responses Total number of `<RequestSecurityTokenResponse >` responses sent by the IDP or received by the SP.	normal
LogoutRequests	Logout Requests Total number of `<LogoutRequest\| SignOut>` requests sent or received.	normal
LogoutResponses	Logout Responses Number of LogoutResponse messages sent or received.	normal
LogoutErrorResponses	Logout Error Responses Number of LogoutResponse messages with error status sent or received.	normal
NameIDManagementRequests	ManageNameIDRequests Total number of `<ManageNameIDRequest\|RegisterNameIdentifier\|FederationTerminationNotification>` requests sent or received.	normal
NameIDManagementResponses	ManageNameIDResponses Total number of `<ManageNameIDResponse>` or RegisterNameIdentifier responses sent or received.	normal
NameIDManagementErrorResponses	ManageNameID Error Responses Total number of `<ManageNameIDRequest\|RegisterNameIdentifier\|FederationTerminationNotification>` error responses sent or received.	normal
ArtifactResolutionRequests	ArtifactResolve Requests Total number of `<ArtifactResolve\|Request>` requests sent by the SP or received by the IDP.	normal
ArtifactResolutionResponses	ArtifactResolve Responses Total number of `<ArtifactResponse\|Response>` responses sent by the IDP or received by the SP.	normal
ArtifactResolutionErrorResponses	ArtifactResolve Error Responses Total number of `<ArtifactResponse\|Response>` error responses sent by the IDP or received by the SP.	normal
NameIdentifierFormat_Persistent	NameIDs of Persistent format processed Total usage of Persistent Name Identifier in messages processed at the SP or IDP.	normal
NameIdentifierFormat_Transient	NameIDs of Transient format processed Total usage of Transient Name Identifier in messages processed at the SP or IDP.	normal
NameIdentifierFormat_Unspecified	NameIDs of Unspecified format processed Total usage of Unspecified Name Identifier in messages processed at the SP or IDP.	normal
NameIdentifierFormat_EmailAddress	NameIDs of EmailAddress format processed Total usage of Email Address Name Identifier in messages processed at the SP or IDP.	normal
NameIdentifierFormat_X509DN	NameIDs of X509SubjectName format processed Total usage of X.509 Subject Name Identifier in messages processed at the SP or IDP.	normal
NameIdentifierFormat_Windows	NameIDs of WindowsDomainQualifiedName format processed Total usage of Windows Domain Qualified Name Identifier in messages processed at the SP or IDP.	normal
NameIdentifierFormat_Kerberos	NameIDs of Kerberos format processed Total usage of Kerberos Principal Name Identifier in messages processed at the SP or IDP.	normal
RequestProcessed	ApplicationController Requests Total number of requests processed by ApplicationController.	normal

7.1.2.2.2 Security Processing

Table 7-2 shows the protocol profile metrics:

Note:

In the table, the Label and Description refers to the short label attached to the metric in Fusion Middleware Control, followed by a description of the metric.

Table 7-2 Security Processing Events

Name	Label, Description	Weight
XMLSignatures_Signed	XML Signatures Generated Total number of XML signatures generated.	normal
XMLSignatures_Verified	XML Signatures Verification Successes Total number of XML signatures verified successfully.	normal
XMLSignatures_VerifyFailed	XML Signatures Verification Failures Total number of XML signature verification failures.	normal
XMLEncryption_Encryptions	XML Encryptions Generated Total number of XML encryptions generated.	normal
XMLEncryption _Decryptions	XML Decryption Successes Total number of successful XML decryptions.	normal
XMLEncryption _DecryptionFailures	XML Decryption Failures Total number of XML decryption failures.	normal

7.1.2.3 State Events

The following metric is collected for enterprise data-tier connectivity:

Server_OpenSessions - The Fusion Middleware Control label for this metric is "Open Server Connections". It represents the total number of open connections with LDAP or RDBMS server.

The sensor weight is "all".

7.1.2.4 Phase Events

This section contains these topics:

Data Model
Protocol Profiles
Security Processing

7.1.2.4.1 Data Model

Table 7-3 shows the JVTDiscoveryProviders metrics by phase event sensors:

Note:

In the table, the Label and Description refers to the short label attached to the metric in Fusion Middleware Control, followed by a description of the metric.

Table 7-3 JVTDiscoveryProvider Events

Name	Label and Description	Weight
ArtifactCreation	SAML Artifact Creation Time (ms) Time taken to create the artifact by Artifact DiscoveryProvider.	heavy
LocateArtifact	SAML Artifact Retrieval Time (ms) Time taken to locate the artifact by Artifact DiscoveryProvider.	heavy
LocateConfiguration	Server Configuration Retrieval Time (ms) Time taken to locate protocol/server configuration by Configuration DiscoveryProvider.	heavy
LocateMetadata	Provider Metadata Retrieval Time (ms) Time taken to locate the metadata by Metadata Discovery Provider.	heavy
ProfileStateCreation	ProfileState Object Creation Time (ms) Time taken to create profile state by ProfileState DiscoveryProvider.	heavy
LocateProfileState	ProfileState Object Retrieval Time (ms) Time taken to locate profile state by ProfileState DiscoveryProvider.	heavy
SessionCreation	User Session Retrieval or Creation Time (ms) Time taken to create or locate the user session by Session DiscoveryProvider.	heavy
LocateUser	User Object Retrieval Time (ms) Time taken to locate the user by User DiscoveryProvider.	heavy
LocateSession	Session Object Retrieval Time (ms) Time taken to locate the session.	heavy
CreateActiveServiceProviderFederation	Active SP Federation Creation Time (ms) Time taken to create the active service provider federation.	heavy
LocateActiveServiceProviderFederation	Active SP Federation Retrieval Time (ms) Time taken to locate the active service provider federation.	heavy
CreateActiveIdentityProviderFederation	Active IdP Federation Creation Time (ms) Time taken to create the active Identity Provider federation.	heavy
LocateActiveIdentityProviderFederation	Active IdP Federation Retrieval Time (ms) Time taken to locate the active Identity Provider federation.	heavy
LocateProviderFederation	Provider Federation Retrieval Time (ms) Time taken to locate the Provider federation.	heavy
LocateTemporaryProviderFederation	Temporary Provider Federation Retrieval Time (ms) Time taken to locate the active Temporary Provider federation	heavy
CreateAffiliationProviderFederation	Affiliation Federation Creation Time (ms) Time taken to create the Affiliation Provider federation.	heavy
LocateAffiliationFederation	Affiliation Federation Retrieval Time (ms) Time taken to locate the Affiliation federation	heavy
CreateServiceProviderFederation	SP Federation Creation Time (ms) Time taken to create the service provider federation	heavy
CreateIdentityProviderFederation	IdP Federation Creation Time (ms) Time taken to create the Identity Provider federation.	heavy
DeleteSession	Session Deletion Time (ms) Time taken to delete the session.	heavy
CreateBinaryLargeObject	Database BLOB Creation Time (ms) Time taken to create the Blob.	heavy
LocateBinaryLargeObject	Database BLOB Retrieval Time (ms) Time taken to locate the Blob.	heavy
SessionPersistence	Time to Persist Session Data (ms) Time taken to persist the session.	heavy
DeleteArtifact	SAML Artifact Deletion Time (ms) Time taken to delete the artifact	heavy
DeleteProfileState	ProfileState Data Deletion Time (ms) Time taken to delete the Profile State.	heavy
DeleteActiveIdPFederation	Active IdP Federation Deletion Time (ms) Time taken to delete the active IdP federation.	heavy
DeleteActiveSPFederation	Active SP Federation Deletion Time (ms) Time taken to delete the active SP federation.	heavy
DeleteProviderFederation	Provider Federation Deletion Time (ms) Time taken to delete the provider federation.	heavy
ProviderFederationPersistence	Time to Persist a Provider Federation(ms) Time taken to persist the provider federation.	heavy

7.1.2.4.2 Protocol Profiles

Table 7-4 shows the protocol profile metrics collected by phase event sensors for requests and responses:

Note:

In the table, the Label and Description refers to the short label attached to the metric in Fusion Middleware Control, followed by a description of the metric.

Table 7-4 Protocol Profile Events

Name	Label and Description	Weight
LocalAuthn	Local User Authentication Time (ms) Time taken by the user to get authenticated locally at IdP/SP.	normal
AuthnRequestProcessing	AuthnRequest Processing time at the IdP (ms) Time taken to process AuthnRequest at IdP.	heavy
AuthnResponseProcessing	AuthnResponse Processing Time at SP (ms) Time taken to process AuthnResponse at SP.	normal
ArtifactProcessing	SAML Artifact Processing Time (ms) Time taken to process Artifact.	heavy
Logout	Global Logout Time (ms) Time taken for global logout.	heavy
RequestProcessing	Incoming Request Processing Time (ms) Time taken by ApplicationController to process request.	normal
EventProcessing	Event Processing Time (ms) Time taken by ActionStateMachine to process event.	heavy

7.1.2.4.3 Security Processing

Table 7-5 shows the metrics collected during security processing by phase event sensors:

Note:

In the table, the Label and Description refers to the short label attached to the metric in Fusion Middleware Control, followed by a description of the metric.

Table 7-5 Security Processing for Phase Events

Name	Label and Description	Weight
XMLSigner	XML Message Signing Time (ms) Time taken by XMLSigner to sign message.	heavy
XMLSignatureVerifier	XML Message Signature Verification Time (ms) Time taken by XMLSignatureVerifier to verify the message signature.	heavy
QueryStringSigner	URL Query String Signing Time (ms) Time taken to sign the Query string.	heavy
QueryStringSignatureVerifier	URL Query String Signature Verification Time (ms) Time taken to verify the signature for Query string.	heavy
XMLEncryptionService	XML Message Encryption Time (ms) Time taken to encrypt the message.	heavy
XMLDecryptionService	XML Message Decryption Time (ms) Time taken to decrypt the message.	heavy
SerializeMessage	XML Message Marshalling Time (ms) Time taken by LibertyProtocolMarshaller to serialize the message.	heavy
DeSerializeMessage	XML Message Unmarshalling Time (ms) Time taken by the LibertyProtocolMarshaller to deserialize the message.	heavy

7.2 Availability

Oracle Identity Federation is a Java component whose availability is tracked through Fusion Middleware Control.

For details, see Getting Started Using Oracle Enterprise Manager Fusion Middleware Control in the Oracle Fusion Middleware Administrator's Guide.

7.3 Logging

This section describes logging for Oracle Identity Federation:

About Oracle Identity Federation Logging
Viewing Oracle Identity Federation Log Messages
Configuring Oracle Identity Federation Logs
Common Log Messages

For more information about logging in Oracle Fusion Middleware, see Managing Log Files and Diagnostic Data in the Oracle Fusion Middleware Administrator's Guide.

7.3.1 About Oracle Identity Federation Logging

This section provides a basic overview of logging for Oracle Identity Federation. Topics include:

Types of Logs
Log Levels
Message IDs
Tools for Log Configuration

7.3.1.1 Types of Logs

Oracle Identity Federation provides two types of logs:

Persistent Logs - These logs persist across component restarts.
Runtime Logs - These logs are created automatically by the server at runtime and become active when a specific feature is activated.

The persistent log files include:

servername-diagnostic.log - Contains general application log messages, debug messages, and error messages. This log is also referred to as the federation log.
Other log files that may contain logging messages pertaining to Oracle Identity Federation are servername.log and servername.out.

7.3.1.2 Log Levels

Table 7-6 shows the log levels of Oracle Identity Federation log messages:

Table 7-6 Oracle Identity Federation Log levels

Log Level	description
INTERNAL ERROR	Events that represent unrecoverable errors.
ERROR	Events that represent recoverable and unrecoverable errors.
WARNING	Events that represent failures in processing external and implicit Oracle Identity Federation server actions.
NOTIFICATION	High Level Oracle Identity Federation operational events describing a flow.
TRACE	Events with detailed processing flows and state information.

7.3.1.3 Message IDs

Oracle Identity Federation log messages fall into these categories:

Table 7-7 Oracle Identity Federation Message Categories

Message ID Range	Message Category
FED-10000 to FED-10099	Compliance
FED-10100 to FED-10999	Configuration
FED-11000 to FED-11699	Data
FED-11700 to FED-11999	Network
FED-12000 to FED-12999	Other
FED-13000 to FED-14999	Programmatic
FED-15000 to FED-17999	Requests and Responses
FED-18000 to FED-19999	Security
FED-20000 to FED-20099	Threads

7.3.1.4 Tools for Log Configuration

Oracle Identity Federation provides two tools for log configuration and management:

Fusion Middleware Control for GUI-based configuration
wlst for command-line configuration

7.3.2 Viewing Oracle Identity Federation Log Messages

Log in to Fusion Middleware Control and navigate to Oracle Identity Federation instance. In the Oracle Identity Federation drop down menu, select Logs, then View Log Messages.

7.3.2.1 Select Messages to View

Take these steps to select messages to view:

From the Oracle Identity Federation menu, select Logs, then View Log Messages. The Log Messages page appears.
Select the date range for the logs you want to view. You can select most recent, by minutes, hours or days. Alternatively, you can select a time interval and specify the date and time to start and end.
Select the message types you want to view.
Specify any additional conditions (such as display only messages that contain some string).
To perform a specific search, choose Add Fields and add fields on which to search. For each field, select a criterion from the list, then enter text into the box. Choose the red X to delete a field. Choose Add Fields to add additional fields. When you have finished adding criteria, click Search.

7.3.2.2 Specify View Options

In addition to specifying messages to view, several other viewing options are available:

Use the Broaden Target Scope list to view messages for the domain.
Choose Export Messages to File to export the log messages to a file as XML, text, or comma-separated list.
Click Target Log Files to view information about individual log files.
You can indicate when to refresh the view. Select Manual Refresh, 30-Second Refresh, or One Minute Refresh from the list on the upper right.
Use the View list to change the columns listed or to reorder columns.
Use the Show list to change the grouping of messages.
Collapse the Search label to view only the list of log messages.
To view the contents of a log file, double-click the file name in the Log File column. The View Log File: filename page is displayed. You can use the up and down arrows in the Time, Message Type, and Message ID columns to reorder the records in the file.

7.3.3 Configuring Oracle Identity Federation Logs

Use these pages to view and configure Oracle Identity Federation server logs.

Take these steps to navigate to the log configuration page:

Log in to Fusion Middleware Control and navigate to the Oracle Identity Federation instance.
In the Oracle Identity Federation drop-down menu, select Logs, then Log Configuration.

Topics include:

Configure Oracle Identity Federation Log Levels
Configure Oracle Identity Federation Log Files

7.3.3.1 Configure Oracle Identity Federation Log Levels

Use this page to:

view and update logging levels for Oracle Identity Federation loggers.
create a new persistent logger.

Each logger logs messages for a specific server function; for example, the EJB deployment logger logs messages for an EJB module.

View or Update Logger Level

Use the View drop-down to select the logger.

Fields include:

Logger Name - This is the name of the logger.
Oracle Diagnostic Logging Level - This is the logging level. Use the level drop-down to change the log level.
Log File - This is the name of the log file. Click on a log file name to view and update the properties of the log file.

Specify a Logger

This portion of the page appears when you select "Loggers with Persistent Log Level" in the View drop-down.

Supply the following information to create a persistent logger:

Name - Enter a name for the new logger.
Oracle Diagnostic Logging Level - This is the logging level. Use the level drop-down to select a log level.

Buttons on the page perform the following functions:

Apply - Save the logger configuration updates or generate the new logger information.
Revert - Discard the configuration updates.

7.3.3.2 Configure Oracle Identity Federation Log Files

For information on configuring log files, see Configuring Settings for Log Files in the Oracle Fusion Middleware Administrator's Guide.

7.3.4 Common Log Messages

This section explains some common messages you may encounter in the Oracle Identity Federation logs.

7.3.4.1 thread interrupt Messages

You may see a message like the following in the managed server log file:

oracle.security.fed.jvt.discovery.model.session.RDBMSSessionDiscoveryProvider
run
WARNING: InterruptedException: thread interrupt occurred during sleep()
java.lang.InterruptedException: sleep interrupted

These messages are only notifications indicating that the RDBMS sleeping threads have been killed as a result of a configuration reload; new threads were created to replace these threads. No action is required.

7.4 Auditing

Oracle Identity Federation uses the Fusion Middleware Audit Framework for auditing.

This section explains what events are audited, and how to configure auditing for Oracle Identity Federation. It contains these sections:

About Auditing in Oracle Identity Federation
Configuring Auditing for Oracle Identity Federation
Viewing Audit Data

See Also:

Configuring and Managing Auditing in the Oracle Fusion Middleware Application Security Guide for details about audit configuration.

7.4.1 About Auditing in Oracle Identity Federation

This section lists the events that you can audit in different categories, and explains audit levels.

7.4.1.1 Categories of Audit Events

There are four categories of audit events for Oracle Identity Federation:

User Session Management
Protocol Flow
Server Configuration
Security

The events for each category are described in these subsections.

7.4.1.1.1 User Session Management Events

Session management events and the attributes of each event are as follows:

CreateUserSession – Creation of a user session after a successful login
- SessionID
- AuthenticationMechanism
- UserID
DeleteUserSession – Deletion of a user session after logout
- SessionID
- AuthenticationMechanism
- UserID
CreateUserFederation – Creation of a user federation between two remote servers
- FederationID
- FederationType (SP/IdP/Affiliation)
- UserID
- RemoteProviderID
- ProtocolVersion
- NameIDFormat
- NameIDQualifier
- NameIDValue
UpdateUserFederation - Updating the user federation between two remote servers
- FederationID
- FederationType (SP/IdP)
- UserID
- RemoteProviderID
- ProtocolVersion
- NameIDFormat
- NameIDQualifier
- NameIDValue
- OldNameIDQualifier
- OldNameIDValue
DeleteUserFederation – Deletion of a user federation between two remote servers
- FederationID
- FederationType (SP/IdP)
- UserID
- RemoteProviderID
- ProtocolVersion
- NameIDFormat
- NameIDQualifier
- NameIDValue
CreateActiveUserFederation – Creation of an active federation after successful login
- FederationID
- FederationType (SP/IdP)
- SessionID
- UserID
- RemoteProviderID
- ProtocolVersion
DeleteActiveUserFederation - Deletion of an active federation after logout
- FederationID
- FederationType (SP/IdP)
- SessionID
- UserID
- RemoteProviderID
- ProtocolVersion
LocalAuthentication – Authentication of a user at OIF
- AuthenticationMechanism
- AuthenticationEngineID
- RemoteIP
- SessionID
- UserID
LocalLogout - Logout of a user at Oracle Identity Federation
- RemoteIP
- SessionID
- UserID

7.4.1.1.2 Protocol Flow Events

Protocol flow events and their attributes are as follows:

IncomingMessage – Message being received by Oracle Identity Federation
- RemoteIP
- Binding (for example, SOAP/GET/POST/Artifact/…)
- ProtocolVersion (for example, SAML2/Libv11/…)
- RemoteProviderID
- Role (for example, Service Provider/Identity Provider/Attribute Authority/…)
- IncomingMessageString (CLOB)
- MessageType (for example, SSOLoginRequest/SSOLoginResponse/SSOLogoutRequest/…)
OutgoingMessage - Message being sent by Oracle Identity Federation (Success only)
- RemoteIP
- Binding (for example, SOAP/GET/POST/Artifact/…)
- ProtocolVersion (for example, SAML2/Libv11/…)
- RemoteProviderID
- Role (for example, Service Provider/Identity Provider/Attribute Authority/…)
- OutgoingMessageString (CLOB)
- MessageType (for example, SSOLoginRequest/SSOLoginResponse/SSOLogoutRequest/…)
AssertionCreation – Creation of an assertion by Oracle Identity Federation (Success only)
- RemoteIP
- ProtocolVersion (for example, SAML2/Libv11/…)
- AssertionVersion (for example, 2.0)
- IssueInstant
- Issuer
- NameIDQualifier
- NameIDValue
- NameIDFormat
- AssertionID
- UserID
- SessionID
- FederationID
- RemoteProviderID
AssertionConsumption - Consumption of an assertion by Oracle Identity Federation (Success only)
- ProtocolVersion (for example, SAML2/Libv11/…)
- AssertionVersion (for example, 2.0)
- IssueInstant
- Issuer
- NameIDQualifier
- NameIDValue
- NameIDFormat
- AssertionID
- UserID
- SessionID
- FederationID
- RemoteProviderID

7.4.1.1.3 Server Configuration Events

Server configuration events and their attributes are as follows:

CreateConfigProperty – Adding a new configuration property (Success only)
- PropertyName
- PropertyType (for example, PropertiesList, PropertiesMap, String, Boolean…)
- Value
- PeerProviderID
- Hierarchy
ChangeConfigProperty - Changing the value of an existing configuration property(Success only)
- PropertyName
- PropertyType (for example, PropertiesList, PropertiesMap, String, Boolean…)
- OldValue
- NewValue
- PeerProviderID
- Hierarchy
DeleteConfigProperty - Deleting a configuration property (Success only)
- PropertyName
- PropertyType (for example, PropertiesList, PropertiesMap, String, Boolean…)
- OldValue
- PeerProviderID
- Hierarchy
CreatePeerProvider – Adding a new provider to the list of trusted providers (Success only)
- PeerProviderID
- ProviderType (for example, sp, idp, sp idp,…)
- ProtocolVersion
- Description
UpdatePeerProvider - Updating the information on an existing provider in the list of trusted providers (Success only)PeerProviderID
- PeerProviderID
- ProviderType (for example, sp, idp, sp idp,…)
- ProtocolVersion
- Description
DeletePeerProvider - Deleting a provider from the list of trusted providers (Success only
- PeerProviderID
- ProviderType (for example, sp, idp, sp idp,…)
- ProtocolVersion
- Description
LoadMetadata – Loading of metadata (Success only)
- Metadata
- Description
SetDataStoreType – Changing the type of a data store (Success only)
- DataStoreName
- OldValue
- NewDataStoreType
ChangeDataStore – Setting of the federation data store (Success only)
- DataStoreBefore
- DataStoreAfter
ChangeFederation – Changing of the trusted providers (Success only)
- COTBefore
- COTAfter
ChangeServerProperty – Changing of a server configuration property (Success only)
- ServerConfigBefore
- ServerConfigAfter

7.4.1.1.4 Security Events

Security events and their attributes are as follows:

CreateSignature – Creation of a digital signature by Oracle Identity Federation
- Type (XML, String)
VerifySignature – Verification of a digital signature by Oracle Identity Federation
- Type (XML, String)
EncryptData – Encryption of data by Oracle Identity Federation
- Type (XML, String)
DecryptData – Decryption of data by Oracle Identity Federation
- Type (XML, String)

7.4.1.1.5 Attributes Shared by All Events

In addition there are attributes shared for all events:

timestamp - the timestamp of when the audit event occurred
initiator - the initiator of the audit event (for some events this attribute may be empty)
ECID - the execution context ID

7.4.1.2 Audit Levels

Fusion Middleware Audit Framework supports the following audit levels:

None
Low
Medium
Custom

The following audit events get audited at the Low and Medium audit levels:

Note:

FAILURESONLY denotes that the event will only get audited in case of failure.

Events Audited at Low level

ServerConfiguration
- CreateConfigProperty
- ChangeConfigProperty
- DeleteConfigProperty
- CreatePeerProvider
- UpdatePeerProvider
- DeletePeerProvider
- LoadMetadata
- SetDataStoreType
- ChangeDataStore
- ChangeCOT
- ChangeServerProperty

Events Audited at Medium level

ServerConfiguration
- CreateConfigProperty
- ChangeConfigProperty
- DeleteConfigProperty
- CreatePeerProvider
- UpdatePeerProvider
- DeletePeerProvider
- LoadMetadata
- SetDataStoreType
- ChangeDataStore
- ChangeCOT
- ChangeServerProperty
UserSession.FAILUREONLY
- CreateUserSession.FAILUREONLY
- DeleteUserSession.FAILUREONLY
- CreateUserFederation.FAILUREONLY
- UpdateUserFederation.FAILUREONLY
- DeleteUserFederation.FAILUREONLY
- CreateActiveUserFederation.FAILUREONLY
- DeleteActiveUserFederation.FAILUREONLY
- LocalAuthentication.FAILUREONLY
- LocalLogout.FAILUREONLY
ProtocolFlow.FAILUREONLY
- IncomingMessage.FAILUREONLY
- OutgoingMessage.FAILUREONLY
- AssertionCreation.FAILUREONLY
- AssertionConsumption.FAILUREONLY
Security.FAILUREONLY
- CreateSignature.FAILUREONLY
- VerifySignature.FAILUREONLY
- EncryptData.FAILUREONLY
- DecryptData.FAILUREONLY

Events Audited at Custom Level

The Custom audit level allows you to select only the events you wish to audit.

See Also:

Configuring and Managing Auditing in the Oracle Fusion Middleware Application Security Guide.

7.4.2 Configuring Auditing for Oracle Identity Federation

You can use Oracle Enterprise Manager Fusion Middleware Control or WLST command-line interface to configure auditing.

Take these steps to get started with configuring auditing with Fusion Middleware Control:

Log in to Fusion Middleware Control and navigate to the Identity Management domain.
In the Weblogic Domain drop down menu, select Security, then Audit Policy.
Select the Oracle Identity Federation component.
In the Audit Level menu, select the desired audit level.

You can view the audit policies that will be enforced in different categories by expanding the + check-box for the component.

Note:

If selected level is Custom, refer to Section 7.4.2.1, "Configuring Auditing at the Custom Level".
Optionally, in the Users text box, you can add users who will always be audited for all events, regardless of audit level.
Click Apply.

7.4.2.1 Configuring Auditing at the Custom Level

Take these steps if you are configuring audit policies and wish to use the Custom audit level:

In the Audit Level menu, select Custom as the audit level.
Select the events to audit in the table of events:
- Click the + sign next to the component name to get the list of audit event categories.
- Click the + sign next to the category name to get the list of events.
- Click the + sign next to the event name to get Success/Failure audit options.
Check the Enable Audit box next to the events or categories desired to audit. (for example, checking the box next to Security will audit all security events. Checking the box next to CreateUserSession Failure event will audit all CreateUserSession failure events.
Optionally, you can add filters for fine-grained auditing.

Click the pencil icon to the right of the event or category name. Add the desired filter conditions.
Click OK when finished.

See Also:

Configuring and Managing Auditing in the Oracle Fusion Middleware Application Security Guide for details about audit policy configuration.

7.4.3 Viewing Audit Data

Your audit data may reside in files (also known as bus-stop files), or it may reside in a database audit store.

If the audit data resides in a bus-stop file, you can query the file directly at this location:

<domain_home>/servers/<server_name>/logs/auditlogs/OIF/audit.log

If the audit data resides in a database, you can use a tool like Oracle Business Intelligence Publisher to view audit reports.

See Also:

Using Audit Analysis and Reporting in the Oracle Fusion Middleware Application Security Guide.