ITfoxtec AD FS Audit

The NemLog-in logging requirements are met by extending the AD FS standard audit log with ITfoxtec AD FS Audit.

AD FS supports integration with NemLog-in via SAML 2.0. However, the AD FS standard audit log does not log all the information that NemLog-in requires, so an extension of the audit log is needed.

The NemLog-in logging requirements include, among other things, that all SAML 2.0 request and response messages are logged. The request and response messages must be logged including the signature proofs, which ITfoxtec AD FS Audit handles.

The company name ITfoxtec has changed to FoxIDs but the components will keep the ITfoxtec name as part of the component name for now.

Supported SAML 2.0 bindings towards the Claims Provider (NemLog-in):

  • Login request (AuthnRequest) over redirect binding
  • Login response (Assertion) over post binding
  • Logout request (LogoutRequest) over redirect binding
  • Logout response (LogoutResponse) over post binding

Supported SAML 2.0 bindings towards Relying Parties:

  • Login request (AuthnRequest) over redirect binding
  • Login response (Assertion) over post binding
  • Logout request (LogoutRequest) over redirect and post binding
  • Logout response (LogoutResponse) over redirect and post binding

ITfoxtec AD FS Audit

ITfoxtec AD FS Audit supports Microsoft AD FS from version 3.0 (Windows Server 2012 R2).

When FoxIDs is relevant

Use ITfoxtec AD FS Audit when you need NemLog-in compliant SAML logging in an existing AD FS farm. FoxIDs is relevant when you also need a modern identity platform for migration, federation, or replacing AD FS over time.

  • Plan migration from AD FS to OpenID Connect and SAML 2.0 services
  • Add modern federation, external identities, and hosted operations
  • Get help with architecture, migration, and paid technical support
FoxIDs documentation Talk to an expert Get started for free

ITfoxtec AD FS Audit logging

ITfoxtec AD FS Audit logs to Application ("Windows Logs/Application") in Event Log with log source: "AD FS, ITfoxtec Auditing".

The logging details are found on the Details tab.

Event id Text
211 "Received, SAML GET Request" or "Received, SAML Authn Request"
212 "Send, SAML GET Request" or "Send, SAML Authn Request"
221 "Send/Received, SAML Assertion"
222 "Received, Validating SAML Assertion"
231 "Send/Received, SAML Logout Request"
232 "Send/Received, SAML Logout Response"
233 "Send/Received, SAML Logout Response"
234 "Received, SAML Logout Response"
235 "Received, SAML Logout Request"
236 "Received, SAML Logout Request"
237 "Send, SAML Logout Request"

Installation of ITfoxtec AD FS Audit

ITfoxtec AD FS Audit is installed on the AD FS server by creating an event log source, placing a DLL in the AD FS folder on the server, and configuring ITfoxtec AD FS Audit in the AD FS configuration file. The installation is performed in an AD FS farm on all AD FS servers.

Note: It is only necessary to create an Event Log source the first time ITfoxtec AD FS Audit is installed. For the first installation, it is not necessary to start and stop the AD FS service; this is only required for updates.


1) Create an Event Log source

An Event Log source named "AD FS, ITfoxtec Auditing" is created under the Application log.

Run the following in a CMD with administrative privileges: ITfoxtec.CreateAuditingEventSource.exe
A test log entry is created in Event Log, which can be verified.


2) Stop the AD FS service

Stop the Active Directory Federation Services service. For example, with the command: "net stop adfssrv"


3) Place the ITfoxtec AD FS Audit DLL in the AD FS folder

Copy the file "ITfoxtec.AdfsAuditing.dll" into the folder "C:\Windows\ADFS".


4) Configure ITfoxtec AD FS Audit

The ITfoxtec AD FS Audit configuration is added under the "system.diagnostics" element in the AD FS configuration file: "C:\Windows\ADFS\Microsoft.IdentityServer.Servicehost.exe.config"

The ITfoxtec AD FS Audit configuration is added under the "system.diagnostics" element in the AD FS configuration file "Microsoft.IdentityServer.Servicehost.exe.config" in the folder "C:\Windows\ADFS".

The original AD FS 3.0 "system.diagnostics" element:

<system.diagnostics>
<sources>
<source name="Microsoft.IdentityModel" switchValue="Off">
<listeners>
<add name="ADFSWifListener" traceOutputOptions="ProcessId,ThreadId" initializeData="Wif" type="Microsoft.IdentityServer.Diagnostics.ADFSTraceListener,Microsoft.IdentityServer.Diagnostics,Version=6.3.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL" />
</listeners>
</source>
<source name="System.ServiceModel" switchValue="Off">
<listeners>
<add name="ADFSWcfListener" traceOutputOptions="ProcessId,ThreadId" initializeData="Wcf" type="Microsoft.IdentityServer.Diagnostics.ADFSTraceListener,Microsoft.IdentityServer.Diagnostics,Version=6.3.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL" />
</listeners>
</source>
<source name="System.ServiceModel.MessageLogging" switchValue="Off">
<listeners>
<add name="ADFSWcfListener" traceOutputOptions="ProcessId,ThreadId" initializeData="Wcf" type="Microsoft.IdentityServer.Diagnostics.ADFSTraceListener,Microsoft.IdentityServer.Diagnostics,Version=6.3.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL" />
</listeners>
</source>
</sources>
<trace autoflush="true" ></trace>
</system.diagnostics>

ITfoxtec AD FS Audit is configured in the "system.diagnostics" element. The configuration is highlighted in yellow: 

<system.diagnostics>
<sources>
<source name="Microsoft.IdentityModel" switchValue="Verbose">
<listeners>
<add name="EventLogIdentityModelListener" type="ITfoxtec.AdfsAuditing.EventLogIdentityModelListener, ITfoxtec.AdfsAuditing, Version=1.0.0.0, Culture=neutral, PublicKeyToken=b2673fdcc9b2bfae" />
<!--<add name="ADFSWifListener" traceOutputOptions="ProcessId,ThreadId" initializeData="Wif" type="Microsoft.IdentityServer.Diagnostics.ADFSTraceListener,Microsoft.IdentityServer.Diagnostics,Version=6.3.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL" />-->
</listeners>
</source>
<source name="System.Net.HttpListener" tracemode="protocolonly" maxdatasize="10000" switchValue="Verbose">
<listeners>
<add name="EventLogHttpListener" type="ITfoxtec.AdfsAuditing.EventLogHttpListener, ITfoxtec.AdfsAuditing, Version=1.0.0.0, Culture=neutral, PublicKeyToken=b2673fdcc9b2bfae" />
</listeners>
</source>
<source name="System.ServiceModel" switchValue="Off">
<listeners>
<add name="ADFSWcfListener" traceOutputOptions="ProcessId,ThreadId" initializeData="Wcf" type="Microsoft.IdentityServer.Diagnostics.ADFSTraceListener,Microsoft.IdentityServer.Diagnostics,Version=6.3.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL" />
</listeners>
</source>
<source name="System.ServiceModel.MessageLogging" switchValue="Off">
<listeners>
<add name="ADFSWcfListener" traceOutputOptions="ProcessId,ThreadId" initializeData="Wcf" type="Microsoft.IdentityServer.Diagnostics.ADFSTraceListener,Microsoft.IdentityServer.Diagnostics,Version=6.3.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL" />
</listeners>
</source>
</sources>
<trace autoflush="true" ></trace>
</system.diagnostics>

The ITfoxtec AD FS Audit configuration as text file.


5) Start the AD FS service

Start the Active Directory Federation Services service. For example, with the command: "net start adfssrv"

Your Privacy

Your Privacy

We use cookies to make your experience of our websites better. Click the 'Accept all cookies' button to agree to the use of cookies. To opt out of non-essential cookies, click 'Necessary cookies only'.

Visit our Privacy Policy page for more