Uploaded image for project: 'Identity Gateway'
  1. Identity Gateway
  2. OPENIG-2961

AM sessions should be traceable through IG audit logs



    • Type: Improvement
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 6.1.0
    • Fix Version/s: None
    • Component/s: Audit, OpenAM
    • Labels:


      All sessions created by AM are assigned a unique audit tracking identifier which can be used to correlate audit events which relate to that session.  For example, using the tracking ID assigned to the session, it is possible to trace all AM accesses using that session all the way back through the authentication process.

      When IG is aware of an AM session, it would be beneficial to be able to correlate audit events for calls made to IG with those made to AM.  When IG calls AM and propagation of the transaction ID is enabled, this may be possible (e.g. the AM audit event for policy evaluation will log the session's audit tracking ID and this can be correlated with the IG audit event based on the shared transaction ID).  However, this correlation of AM and IG audit events will not always be possible - e.g. If IG caches the result of the call to AM's /sessioninfo endpoint and doesn't need to contact AM the next time this session is presented to IG.

      It would be beneficial for IG to record the session tracking ID in all audit events when the session is presented.  IG already has access to the session's tracking ID as it has the same value as the session's suid (which is the identifier used when notifying IG of changes to the session over the websocket connection).


          Issue Links



              Unassigned Unassigned
              craig.mcdonnell Craig McDonnell
              1 Vote for this issue
              2 Start watching this issue