It is possible to nominate additional attributes to be logged in the audit log. This is useful for example when billing depends on a customer attribute or attribute received from an Identity Provider.
The attributes which are logged are defined in the
- whitelist.assertion-received are attributes that are received from upstream IDP or authentication method (method attributes)
- whitelist.ticket-granted are attributes that were sent to a connected application (Service Provider), as defined in the Authorization Policy.
The attribute names are delimited by a whitespace character.
The attribute values are logged within quotation marks (") and separated by commas. They appear before the User Agent value.
To enable the above configuration, the following commands must be run:
Multi-value attributes are not supported. Only the first value of a multi-value attribute will be logged.