SSO Log rule set

The SSO Log rule set is activated when the request is made by an SSO component, including the SSO.Client and SSO.Proxy components.

SSO Log rule set

Library rule set – SSO Log
Criteria – JSON.AsString (JSON.GetByName (SSO.LogAttributes, "origin")) matches SSO.*
Cycles – Requests (and IM), Responses, Embedded Objects

The SSO.LogAttributes property is a JSON object containing the SSO request attributes shown in the following table. The SSO Log rule set generates the SSO access log and optionally the SSO trace log from the attributes in the JSON object.

Table 1: SSO.LogAttributes property
SSO request log attribute Definition
action Specifies the name of the internal action performed in response to the SSO request. Examples include:
  • LoadLaunchpad
  • GetServices
  • StartHTMLLogin, StartSAMLLogin, and StartIceTokenLogin
  • AddCredentials, UpdateCredentials, and DeleteCredentials
config Specifies the name of the settings used by the internal action performed in response to the SSO request.
message Describes the SSO request.
origin Specifies the source of the values that the proxy copies to the SSO.LogAttributes property. The source can be one of the following SSO components:
  • SSO.Client — The proxy copies the values provided by the client (browser) to this property without checking them first.
  • SSO.Proxy — The proxy checks the values provided by the client (browser) before copying them to this property.

SSO.Client values are used by developers when testing and debugging SSO features and are included in the SSO trace log. For security reasons, only values checked by the proxy (SSO.Proxy values) are included in the SSO access log.

level Specifies the log level. Only SSO requests having a log level of four or less are included in the SSO access log. SSO requests having a log level higher than four are also included in the SSO trace log, which is more detailed.

The log levels are:

  • Off (0) — Logging is turned off.
  • Error (1, 2) — Only error messages are logged.
  • Info (3, 4) — Error and info messages are logged to the SSO access log file.
  • Full (5, 6) — All messages are logged to the SSO trace log file.

service Specifies the name of the cloud service in the SSO request.
outward Specifies whether Web Gateway performs the web server role or the web server is external to Web Gateway. This attribute has one of the following values:
  • FALSEWeb Gateway is the destination of the SSO request and creates the SSO response. In this case, Web Gateway performs the role of a web server. For example, Web Gateway performs the web server role when the user accesses the launchpad.
  • TRUE — The SSO request is directed to an external web server, which creates the SSO response. In this case, Web Gateway does not perform the role of a web server.