Prices
ITfoxtec AD FS Audit
Can be installed on an AD FS farm and in a test environment.
14,000 kr excl. VAT
Service agreement, 20% of the price per year. Provides access to updates and 1 hour of support per year.
ITfoxtec AD FS Audit with source code
Can be installed on an AD FS farm and in a test environment.
Includes source code and a test application.
26,000 kr excl. VAT
Service agreement, 20% of the price per year. Provides access to updates and 1 hour of support per year.
Sales and support contact
contact@foxids.com
License
License terms
ITfoxtec AD FS Audit
The NemLog-in logging requirements are met by extending the AD FS standard audit log with ITfoxtec AD FS Audit.
The company name ITfoxtec has changed to FoxIDs but the components will keep the ITfoxtec name as part of the component name for now.
AD FS supports integration with NemLog-in via SAML 2.0. However, the AD FS standard audit log does not log all the information that NemLog-in requires, so an extension of the audit log is needed.
The NemLog-in logging requirements include, among other things, that all SAML 2.0 request and response messages are logged. The request and response messages must be logged including the signature proofs, which ITfoxtec AD FS Audit handles.
Supported SAML 2.0 bindings towards the Claims Provider (NemLog-in):
- Login request (AuthnRequest) over redirect binding
- Login response (Assertion) over post binding
- Logout request (LogoutRequest) over redirect binding
- Logout response (LogoutResponse) over post binding
Supported SAML 2.0 bindings towards Relying Parties:
- Login request (AuthnRequest) over redirect binding
- Login response (Assertion) over post binding
- Logout request (LogoutRequest) over redirect and post binding
- Logout response (LogoutResponse) over redirect and post binding
ITfoxtec AD FS Audit supports Microsoft AD FS from version 3.0 (Windows Server 2012 R2).
ITfoxtec AD FS Audit logging
ITfoxtec AD FS Audit logs to Application ("Windows Logs/Application") in Event Log with log source: "AD FS, ITfoxtec Auditing".
The logging details are found on the Details tab.
| Event id | Text |
|---|---|
| 211 | "Received, SAML GET Request" or "Received, SAML Authn Request" |
| 212 | "Send, SAML GET Request" or "Send, SAML Authn Request" |
| 221 | "Send/Received, SAML Assertion" |
| 222 | "Received, Validating SAML Assertion" |
| 231 | "Send/Received, SAML Logout Request" |
| 232 | "Send/Received, SAML Logout Response" |
| 233 | "Send/Received, SAML Logout Response" |
| 234 | "Received, SAML Logout Response" |
| 235 | "Received, SAML Logout Request" |
| 236 | "Received, SAML Logout Request" |
| 237 | "Send, SAML Logout Request" |
Installation of ITfoxtec AD FS Audit
ITfoxtec AD FS Audit is installed on the AD FS server by creating an event log source, placing a DLL in the AD FS folder on the server, and configuring ITfoxtec AD FS Audit in the AD FS configuration file. The installation is performed in an AD FS farm on all AD FS servers.
Note: It is only necessary to create an Event Log source the first time ITfoxtec AD FS Audit is installed. For the first installation, it is not necessary to start and stop the AD FS service; this is only required for updates.
1) Create an Event Log source
An Event Log source named "AD FS, ITfoxtec Auditing" is created under the Application log.
Run the following in a CMD with administrative privileges: ITfoxtec.CreateAuditingEventSource.exe
A test log entry is created in Event Log, which can be verified.
2) Stop the AD FS service
Stop the Active Directory Federation Services service. For example, with the command: "net stop adfssrv"
3) Place the ITfoxtec AD FS Audit DLL in the AD FS folder
Copy the file "ITfoxtec.AdfsAuditing.dll" into the folder "C:\Windows\ADFS".
4) Configure ITfoxtec AD FS Audit
The ITfoxtec AD FS Audit configuration is added under the "system.diagnostics" element in the AD FS configuration file: "C:\Windows\ADFS\Microsoft.IdentityServer.Servicehost.exe.config"
The ITfoxtec AD FS Audit configuration is added under the "system.diagnostics" element in the AD FS configuration file "Microsoft.IdentityServer.Servicehost.exe.config" in the folder "C:\Windows\ADFS".
The original AD FS 3.0 "system.diagnostics" element:
<system.diagnostics> <sources> <source name="Microsoft.IdentityModel" switchValue="Off"> <listeners> <add name="ADFSWifListener" traceOutputOptions="ProcessId,ThreadId" initializeData="Wif" type="Microsoft.IdentityServer.Diagnostics.ADFSTraceListener,Microsoft.IdentityServer.Diagnostics,Version=6.3.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL" /> </listeners> </source> <source name="System.ServiceModel" switchValue="Off"> <listeners> <add name="ADFSWcfListener" traceOutputOptions="ProcessId,ThreadId" initializeData="Wcf" type="Microsoft.IdentityServer.Diagnostics.ADFSTraceListener,Microsoft.IdentityServer.Diagnostics,Version=6.3.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL" /> </listeners> </source> <source name="System.ServiceModel.MessageLogging" switchValue="Off"> <listeners> <add name="ADFSWcfListener" traceOutputOptions="ProcessId,ThreadId" initializeData="Wcf" type="Microsoft.IdentityServer.Diagnostics.ADFSTraceListener,Microsoft.IdentityServer.Diagnostics,Version=6.3.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL" /> </listeners> </source> </sources> <trace autoflush="true" ></trace> </system.diagnostics>
ITfoxtec AD FS Audit is configured in the "system.diagnostics" element. The configuration is highlighted in yellow:
<system.diagnostics> <sources> <source name="Microsoft.IdentityModel" switchValue="Verbose"> <listeners> <add name="EventLogIdentityModelListener" type="ITfoxtec.AdfsAuditing.EventLogIdentityModelListener, ITfoxtec.AdfsAuditing, Version=1.0.0.0, Culture=neutral, PublicKeyToken=b2673fdcc9b2bfae" /> <!--<add name="ADFSWifListener" traceOutputOptions="ProcessId,ThreadId" initializeData="Wif" type="Microsoft.IdentityServer.Diagnostics.ADFSTraceListener,Microsoft.IdentityServer.Diagnostics,Version=6.3.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL" />--> </listeners> </source> <source name="System.Net.HttpListener" tracemode="protocolonly" maxdatasize="10000" switchValue="Verbose"> <listeners> <add name="EventLogHttpListener" type="ITfoxtec.AdfsAuditing.EventLogHttpListener, ITfoxtec.AdfsAuditing, Version=1.0.0.0, Culture=neutral, PublicKeyToken=b2673fdcc9b2bfae" /> </listeners> </source> <source name="System.ServiceModel" switchValue="Off"> <listeners> <add name="ADFSWcfListener" traceOutputOptions="ProcessId,ThreadId" initializeData="Wcf" type="Microsoft.IdentityServer.Diagnostics.ADFSTraceListener,Microsoft.IdentityServer.Diagnostics,Version=6.3.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL" /> </listeners> </source> <source name="System.ServiceModel.MessageLogging" switchValue="Off"> <listeners> <add name="ADFSWcfListener" traceOutputOptions="ProcessId,ThreadId" initializeData="Wcf" type="Microsoft.IdentityServer.Diagnostics.ADFSTraceListener,Microsoft.IdentityServer.Diagnostics,Version=6.3.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL" /> </listeners> </source> </sources> <trace autoflush="true" ></trace> </system.diagnostics>
The ITfoxtec AD FS Audit configuration as text file.
5) Start the AD FS service
Start the Active Directory Federation Services service. For example, with the command: "net start adfssrv"