Checking which SAML flows are in use on your Shibboleth Identity Provider

The Shibboleth IdP (version 3) records requests and responses in the IdP Audit log. By default this takes the format, set in .../conf/audit.xml: 

%T|%b|%I|%SP|%P|%IDP|%bb|%III|%u|%ac|%attr|%n|%i|%X

IdP v4 defaults to logging in a different format which doesn't include the SAML bindings so this process is not suitable for a new v4 instance. Upgraded instances retain the old behaviour.

Of interest here are the output bindings (%bb) and the SP entityid involved (%SP).

Using standard UNIX tools, a brief report can be created of the bindings in use for a given period of time: 

cd /opt/shibboleth-idp/logs # adjust for your IdP's deployment
zcat idp-audit-2020-09-*.log.gz | cut -d"|" -f 7 | sort | uniq -c

This might produce output similar to: 

      8
     14 urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding
      5 urn:oasis:names:tc:SAML:1.0:profiles:browser-post
  10895 urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
      1 urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
     56 urn:oasis:names:tc:SAML:2.0:bindings:SOAP

The log files are automatically rotated daily and then compressed. This command will look at all available logs in September 2020 and do a pivot table type operation on column 7 to produce a count of each value.

The above output shows that the vast majority of requests are serviced using SAML2 bindings (urn:oasis:names:tc:SAML:2.0:...). The first line occurs when the aacli test tool is used without a specific binding requested and can be safely ignored.

To check which entities are using the older SAML1 bindings, run the following: 

zcat idp-audit-2020-09-*.log.gz | grep urn:oasis:names:tc:SAML:1.0: | cut -d"|" -f 4 | sort | uniq -c

Output might look like: 

      9
      4 https://auth.galegroup.com/shibboleth
      1 https://portal.moonshot.ja.net/shibboleth
      1 https://sp-vaas-stage.asknet.de/shibboleth
      4 https://test.ukfederation.org.uk/entity

Here the 9 "blank" entities are likely related to invalid requests sent to the SOAP (back-channel) endpoints and can also be ignored.

These entities should, therefore, be the target of any remediation conversations to discover why the older bindings are in use and how to move to SAML2.

Explanation of pivot-table commands

Which SAML bindings are in use?

zcat <files> |       # Decompress the log files and pass through
   cut -d"|" -f 7 |  # Extract field 7 from a pipe ("|") separated input stream
   sort |            # Sort the output for the next command
   uniq -c           # Group the sorted output and produce a numerical count

Which flows are using SAML1 bindings?

zcat <files> |                          # Decompress the log files and pass through
   grep urn:oasis:names:tc:SAML:1.0: |  # Select lines matching this pattern
   cut -d"|" -f 4 |                     # Extract field 4 from a pipe ("|") separated input stream
   sort |                               # Sort the output for the next command
   uniq -c                              # Group the sorted output and produce a numerical count