Symantec Access Management

  • 1.  Capture client user agent information for O365 integration

    Posted Oct 12, 2017 11:01 AM

    We have setup SPS and enabled STS to integrate with MS Office 365. Would like to know if there is a way to capture the MS Office client information from SiteMinder's audit log?

     

    We know that Office 365 server will return the X-MS-Client-User-Agent when requesting authentication to STS. If there any way we can capture this information in SiteMInder's log?

     

    Thanks.



  • 2.  Re: Capture client user agent information for O365 integration

    Posted Oct 16, 2017 08:21 PM

    Hi Tc,

     

    I don't think the Audit log (smaccess.log ) could be customized to include custom headers.

     

    However, you should be able to get this info in the SPS --> Apache --> access log by using custom log format as below :

     

    LogFormat "%h %l %u %t \"%r\" %>s %b \"%{X-MS-Client-User-Agent}i\" \"%{User-Agent}i\" \"%{Host}i\"" CAFormat  
    CustomLog "logs/access.log" CAFormat 

     

    Regards,

    Ujwol



  • 3.  Re: Capture client user agent information for O365 integration

    Posted Oct 16, 2017 09:46 PM

    Hi Ujwol,

     

    We are currently configured this way in SPS. However it does not able to identity the success/failure authentication is coming from which combination of  (user+IP+user-agent)

     

    TC



  • 4.  Re: Capture client user agent information for O365 integration

    Posted Oct 16, 2017 11:13 PM

    Hi TC,

     

    How about enabling Enhanced Tracing on the policy server side, so it prints the TranscationID in the smaccess.log.

    Then, 

    also configure the SPS--> Apache to print transaction ID along with X-MS-Client-User-Agent header ?

    LogFormat "%h %l %u %t \"%r\" %>s %b \"%{X-MS-Client-User-Agent}i\" \"%{SM_TRANSACTIONID}i\" \"%{Host}i\"" CAFormat  
    CustomLog "logs/access.log" CAFormat 

     

    log format of webagent trace logs and policy server access logs 

     

    That way , you should be able to correlate the AuthAccept/AuthReject failure in audit log with the User Agent identifier from Apache access logs.

     

    Regards,

    Ujwol

     



  • 5.  Re: Capture client user agent information for O365 integration

    Posted Oct 26, 2017 04:15 AM

    Hi Ujwol,

     

    As you suggested configured the Apache to print Transaction ID in access log as below

     

    LogFormat "%h %l %u %t \"%r\" %>s %b \"%{User-Agent}i\" \"%{Host}i\" \"%{SM_TRANSACTIONID}i\"" myformat

     

    CustomLog "|'C:/CA/secure-proxy/httpd/bin/rotatelogs.exe' 'C:/CA/secure-proxy/httpd/logs/access_log' 10M" myformat

     

     

    After these changes the access_log content looks like:

    192.168.68.131 - - [26/Oct/2017:16:06:00 +0800] "GET /affwebservices/public/saml2sso?SMASSERTIONREF=QUERY&SPID=SP1 HTTP/1.1" 200 3512 "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; WOW64; Trident/7.0; .NET4.0E; .NET4.0C; .NET CLR 3.5.30729; .NET CLR 2.0.50727; .NET CLR 3.0.30729)" "iamserver.mydomain.com:9090" "-"

     

    The TransactionID value is not shown in the log.