The SSO Log rule set generates the SSO access log, and optionally the SSO trace log, from information about SSO requests that the proxy stores in the SSO.LogAttributes property.
The SSO proxy stores information about internal and external SSO requests in the SSO.LogAttributes property.
When SSO logging is enabled:
- Internal requests are logged to the SSO access log instead of the general access log.
- External requests, which come from outside Secure Web Gateway, are logged to the general access log.
To enable SSO logging, import the SSO Log rule set from the Logging rule set group in the Rule Set Library. The SSO Log rule set consists of the following nested rule sets:
- Access Log — Logs error and info messages to the SSO access log file.
- Trace Log — Logs all messages to the SSO trace log file.
- Stop Logging — Stops the SSO Log rule set cycle.
NOTE: The trace log is more detailed than the access log and is intended for debugging the SSO feature.
Enabling SSO logging involves these overall steps:
- Add the SSO Log rule set to the Log Handler rule set tree.
- Move the SSO Log rule set above the Default logging rule sets in the Log Handler tree. This step ensures that SSO requests are logged to the SSO access log before the general access log and that the logging cycle is then stopped.
- (Optional) Enable SSO trace logging.
Enable SSO logging
When you enable SSO logging, SSO requests are logged to the SSO access log instead of the general access log. You can also enable SSO trace logging.
NOTE: If you enable trace logging, we recommend that you set the log level to Full. To locate the log level setting, select Policy | Settings | Engines | Single Sign On | Default | Advanced Settings.
- Select Policy | Rule Sets | Log Handler | Default.
- From the Add drop-down list, select Rule Set from Library.
The Add from Rule Set Library dialog box opens.
- Expand Logging, then select SSO Log.
- If importing the rule set creates conflicts, click Auto-Solve Conflicts, click one of the following strategies, then click OK.
- Solve by referring to existing objects
- Solve by copying and renaming to suggested
The SSO Log rule set is added to the Log Handler tree.
- In the Log Handler tree, move the SSO Log rule set above the Default rule sets.
- (Optional) To enable detailed logging:
- In the Log Handler tree, expand SSO Log, then select the Trace Log rule set.
- In the configuration window, select the Enable checkbox.