From ce2c54edd35123543e37dd84a72d866146241535 Mon Sep 17 00:00:00 2001
From: Sahan Dilshan <sahandilshan222@gmail.com>
Date: Thu, 13 Jul 2023 00:03:04 +0530
Subject: [PATCH 1/7] Add diagnostic logs

Add diagnostic logs for SAML login/logout flows
---
 .../identity/sso/saml/SAMLSSOConstants.java   |  1 +
 .../SPInitLogoutRequestProcessor.java         | 56 ++++++++++++++++++-
 .../SPInitSSOAuthnRequestProcessor.java       | 48 +++++++++++++++-
 .../servlet/SAMLArtifactResolveServlet.java   |  3 -
 .../saml/servlet/SAMLSSOProviderServlet.java  | 40 +++++++++++++
 5 files changed, 143 insertions(+), 5 deletions(-)

diff --git a/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/SAMLSSOConstants.java b/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/SAMLSSOConstants.java
index 48bdedd58..c259dfea0 100644
--- a/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/SAMLSSOConstants.java
+++ b/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/SAMLSSOConstants.java
@@ -114,6 +114,7 @@ public class SAMLSSOConstants {
     public static final String CACHE_CONTROL_VALUE_NO_CACHE = "no-cache";
 
     public static final String IS_POST = "isPost";
+    public static final String SAML_INBOUND_SERVICE = "saml-inbound-service";
 
     private SAMLSSOConstants() {
     }
diff --git a/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/processors/SPInitLogoutRequestProcessor.java b/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/processors/SPInitLogoutRequestProcessor.java
index f07b14d8d..b7665fe90 100644
--- a/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/processors/SPInitLogoutRequestProcessor.java
+++ b/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/processors/SPInitLogoutRequestProcessor.java
@@ -25,6 +25,7 @@
 import org.wso2.carbon.context.PrivilegedCarbonContext;
 import org.wso2.carbon.identity.application.common.util.IdentityApplicationManagementUtil;
 import org.wso2.carbon.identity.base.IdentityException;
+import org.wso2.carbon.identity.central.log.mgt.utils.LoggerUtils;
 import org.wso2.carbon.identity.core.model.SAMLSSOServiceProviderDO;
 import org.wso2.carbon.identity.core.util.IdentityTenantUtil;
 import org.wso2.carbon.identity.core.util.IdentityUtil;
@@ -40,6 +41,7 @@
 import org.wso2.carbon.identity.sso.saml.validators.ValidationResult;
 import org.wso2.carbon.user.api.UserStoreException;
 import org.wso2.carbon.user.core.UserCoreConstants;
+import org.wso2.carbon.utils.DiagnosticLog;
 import org.wso2.carbon.utils.multitenancy.MultitenantConstants;
 
 import java.io.IOException;
@@ -48,6 +50,8 @@
 import java.util.Map;
 import java.util.function.Function;
 
+import static org.wso2.carbon.identity.sso.saml.SAMLSSOConstants.SAML_INBOUND_SERVICE;
+
 /**
  * Handles validation of SP initiated logout requests.
  */
@@ -91,7 +95,16 @@ public SAMLSSOReqValidationResponseDTO process(LogoutRequest logoutRequest, Stri
 
         SAMLSSOReqValidationResponseDTO reqValidationResponseDTO = new SAMLSSOReqValidationResponseDTO();
         reqValidationResponseDTO.setLogOutReq(true);
-
+        if (LoggerUtils.isDiagnosticLogsEnabled()) {
+            DiagnosticLog.DiagnosticLogBuilder diagnosticLogBuilder = new DiagnosticLog.DiagnosticLogBuilder(
+                    SAML_INBOUND_SERVICE, "saml-logout-processing");
+            diagnosticLogBuilder.resultMessage("Processing SP initiated logout request.")
+                    .logDetailLevel(DiagnosticLog.LogDetailLevel.APPLICATION)
+                    .resultStatus(DiagnosticLog.ResultStatus.SUCCESS)
+                    .inputParam("issuer", logoutRequest.getIssuer().getValue())
+                    .inputParam("reason", logoutRequest.getReason());
+            LoggerUtils.triggerDiagnosticLogEvent(diagnosticLogBuilder);
+        }
         try {
 
             // List of validators that we need to run before processing the logout.
@@ -111,6 +124,16 @@ public SAMLSSOReqValidationResponseDTO process(LogoutRequest logoutRequest, Stri
             for (Function<LogoutRequest, ValidationResult<SAMLSSOReqValidationResponseDTO>> validator :
                     logoutRequestValidators) {
                 ValidationResult<SAMLSSOReqValidationResponseDTO> validationResult = validator.apply(logoutRequest);
+                if (LoggerUtils.isDiagnosticLogsEnabled()) {
+                    DiagnosticLog.DiagnosticLogBuilder diagnosticLogBuilder = new DiagnosticLog.DiagnosticLogBuilder(
+                            SAML_INBOUND_SERVICE, "saml-logout-processing");
+                    diagnosticLogBuilder.resultMessage("Validating logout request.")
+                            .logDetailLevel(DiagnosticLog.LogDetailLevel.INTERNAL_SYSTEM)
+                            .inputParam("issuer", logoutRequest.getIssuer().getValue())
+                            .inputParam("validatorName", validator.getClass().getName())
+                            .inputParam("validationResult", validationResult.getValidationStatus());
+                    LoggerUtils.triggerDiagnosticLogEvent(diagnosticLogBuilder);
+                }
                 if (!validationResult.getValidationStatus()) {
                     return validationResult.getValue();
                 }
@@ -190,8 +213,27 @@ public SAMLSSOReqValidationResponseDTO process(LogoutRequest logoutRequest, Stri
             reqValidationResponseDTO.setLogoutResponse(SAMLSSOUtil.encode(SAMLSSOUtil.marshall(logoutResponse)));
             reqValidationResponseDTO.setValid(true);
 
+            if (LoggerUtils.isDiagnosticLogsEnabled()) {
+                DiagnosticLog.DiagnosticLogBuilder diagnosticLogBuilder = new DiagnosticLog.DiagnosticLogBuilder(
+                        SAML_INBOUND_SERVICE, "saml-logout-processing");
+                diagnosticLogBuilder.resultMessage("Successfully processed SP initiated logout request.")
+                        .logDetailLevel(DiagnosticLog.LogDetailLevel.APPLICATION)
+                        .resultStatus(DiagnosticLog.ResultStatus.SUCCESS)
+                        .inputParam("issuer", reqValidationResponseDTO.getIssuer())
+                        .inputParam("consumerURL", reqValidationResponseDTO.getAssertionConsumerURL());
+                LoggerUtils.triggerDiagnosticLogEvent(diagnosticLogBuilder);
+            }
             return reqValidationResponseDTO;
         } catch (UserStoreException | IdentityException | IOException e) {
+            if (LoggerUtils.isDiagnosticLogsEnabled()) {
+                DiagnosticLog.DiagnosticLogBuilder diagnosticLogBuilder = new DiagnosticLog.DiagnosticLogBuilder(
+                        SAML_INBOUND_SERVICE, "saml-logout-processing");
+                diagnosticLogBuilder.resultMessage("Error processing SP initiated logout request.")
+                        .logDetailLevel(DiagnosticLog.LogDetailLevel.APPLICATION)
+                        .resultStatus(DiagnosticLog.ResultStatus.FAILED)
+                        .inputParam("errorMsg", e.getMessage());
+                LoggerUtils.triggerDiagnosticLogEvent(diagnosticLogBuilder);
+            }
             throw IdentityException.error("Error Processing the Logout Request", e);
         }
     }
@@ -306,6 +348,18 @@ private SAMLSSOReqValidationResponseDTO buildErrorResponse(String id, String sta
             }
             reqValidationResponseDTO.setIssuer(issuer);
         }
+        if (LoggerUtils.isDiagnosticLogsEnabled()) {
+            DiagnosticLog.DiagnosticLogBuilder diagnosticLogBuilder = new DiagnosticLog.DiagnosticLogBuilder(
+                    SAML_INBOUND_SERVICE, "saml-logout-processing");
+            diagnosticLogBuilder.resultMessage("Error while processing the SAML logout request.")
+                    .logDetailLevel(DiagnosticLog.LogDetailLevel.APPLICATION)
+                    .resultStatus(DiagnosticLog.ResultStatus.FAILED)
+                    .inputParam("issuer", reqValidationResponseDTO.getIssuer())
+                    .inputParam("consumerURL", reqValidationResponseDTO.getAssertionConsumerURL())
+                    .inputParam("errorMessage", statMsg)
+                    .inputParam("statusCode", status);
+            LoggerUtils.triggerDiagnosticLogEvent(diagnosticLogBuilder);
+        }
         return reqValidationResponseDTO;
     }
 
diff --git a/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/processors/SPInitSSOAuthnRequestProcessor.java b/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/processors/SPInitSSOAuthnRequestProcessor.java
index b9ae527ea..e0b7750e7 100644
--- a/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/processors/SPInitSSOAuthnRequestProcessor.java
+++ b/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/processors/SPInitSSOAuthnRequestProcessor.java
@@ -24,6 +24,7 @@
 import org.opensaml.saml.saml2.core.Response;
 import org.wso2.carbon.context.PrivilegedCarbonContext;
 import org.wso2.carbon.identity.base.IdentityException;
+import org.wso2.carbon.identity.central.log.mgt.utils.LoggerUtils;
 import org.wso2.carbon.identity.core.model.SAMLSSOServiceProviderDO;
 
 import org.wso2.carbon.identity.core.util.IdentityTenantUtil;
@@ -38,10 +39,13 @@
 import org.wso2.carbon.identity.sso.saml.session.SSOSessionPersistenceManager;
 import org.wso2.carbon.identity.sso.saml.util.SAMLSSOUtil;
 import org.wso2.carbon.registry.core.utils.UUIDGenerator;
+import org.wso2.carbon.utils.DiagnosticLog;
 
 import java.util.ArrayList;
 import java.util.List;
 
+import static org.wso2.carbon.identity.sso.saml.SAMLSSOConstants.SAML_INBOUND_SERVICE;
+
 public class SPInitSSOAuthnRequestProcessor implements SSOAuthnRequestProcessor{
 
     private static final Log log = LogFactory.getLog(SPInitSSOAuthnRequestProcessor.class);
@@ -49,6 +53,16 @@ public class SPInitSSOAuthnRequestProcessor implements SSOAuthnRequestProcessor{
     public SAMLSSORespDTO process(SAMLSSOAuthnReqDTO authnReqDTO, String sessionId,
                                   boolean isAuthenticated, String authenticators, String authMode) throws Exception {
 
+        if (LoggerUtils.isDiagnosticLogsEnabled()) {
+            DiagnosticLog.DiagnosticLogBuilder diagnosticLogBuilder = new DiagnosticLog.DiagnosticLogBuilder(
+                    SAML_INBOUND_SERVICE, "saml-request-validation");
+            diagnosticLogBuilder.resultMessage("Validating SAML Authn Request.")
+                    .inputParam("SAMLRequest", authnReqDTO.getRequestMessageString())
+                    .inputParam("authMode", authMode)
+                    .resultStatus(DiagnosticLog.ResultStatus.SUCCESS)
+                    .logDetailLevel(DiagnosticLog.LogDetailLevel.APPLICATION);
+            LoggerUtils.triggerDiagnosticLogEvent(diagnosticLogBuilder);
+        }
         try {
             SAMLSSOServiceProviderDO serviceProviderConfigs = SAMLSSOUtil.getServiceProviderConfig(authnReqDTO
                     .getIssuer(), authnReqDTO.getTenantDomain());
@@ -179,7 +193,17 @@ public SAMLSSORespDTO process(SAMLSSOAuthnReqDTO authnReqDTO, String sessionId,
                 samlssoRespDTO.setLoginPageURL(authnReqDTO.getLoginPageURL());
                 samlssoRespDTO.setSubject(authnReqDTO.getUser());
             }
-
+            if (LoggerUtils.isDiagnosticLogsEnabled() && samlssoRespDTO != null) {
+                DiagnosticLog.DiagnosticLogBuilder diagnosticLogBuilder = new DiagnosticLog.DiagnosticLogBuilder(
+                        SAML_INBOUND_SERVICE, "saml-request-validation");
+                diagnosticLogBuilder.resultMessage("SAML Request validation successful.")
+                        .inputParam("consumerURL", samlssoRespDTO.getAssertionConsumerURL())
+                        .inputParam("userId", samlssoRespDTO.getSubject().getUserId())
+                        .inputParam("issuer", authnReqDTO.getIssuer())
+                        .resultStatus(DiagnosticLog.ResultStatus.SUCCESS)
+                        .logDetailLevel(DiagnosticLog.LogDetailLevel.APPLICATION);
+                LoggerUtils.triggerDiagnosticLogEvent(diagnosticLogBuilder);
+            }
             return samlssoRespDTO;
         } catch (Exception e) {
             log.error("Error processing the authentication request", e);
@@ -287,6 +311,18 @@ private SAMLSSORespDTO buildErrorResponse(String id, String status,
 
         List<String> statusCodeList = new ArrayList<String>();
         statusCodeList.add(status);
+        if (LoggerUtils.isDiagnosticLogsEnabled()) {
+            DiagnosticLog.DiagnosticLogBuilder diagnosticLogBuilder = new DiagnosticLog.DiagnosticLogBuilder(
+                    SAML_INBOUND_SERVICE, "saml-request-validation");
+            diagnosticLogBuilder.logDetailLevel(DiagnosticLog.LogDetailLevel.APPLICATION)
+                    .inputParam("SAMLRequest", id)
+                    .inputParam("errorStatesCode", status)
+                    .inputParam("errorStatesMessage", statMsg)
+                    .inputParam("destination", destination)
+                    .resultMessage("An error occurred while processing the SAML request.")
+                    .resultStatus(DiagnosticLog.ResultStatus.FAILED);
+            LoggerUtils.triggerDiagnosticLogEvent(diagnosticLogBuilder);
+        }
         return buildErrorResponse(id, statusCodeList, statMsg, destination);
     }
 
@@ -300,6 +336,16 @@ private SAMLSSORespDTO buildErrorResponse(String id, List<String> statusCodeList
 
         samlSSORespDTO.setRespString(encodedResponse);
         samlSSORespDTO.setSessionEstablished(false);
+        if (LoggerUtils.isDiagnosticLogsEnabled()) {
+            DiagnosticLog.DiagnosticLogBuilder diagnosticLogBuilder = new DiagnosticLog.DiagnosticLogBuilder(
+                    SAML_INBOUND_SERVICE, "saml-request-validation");
+            diagnosticLogBuilder.logDetailLevel(DiagnosticLog.LogDetailLevel.APPLICATION)
+                    .inputParam("SAMLRequest", id)
+                    .inputParam("errorSAMLResponse", encodedResponse)
+                    .resultMessage("An error occurred while processing the SAML request.")
+                    .resultStatus(DiagnosticLog.ResultStatus.FAILED);
+            LoggerUtils.triggerDiagnosticLogEvent(diagnosticLogBuilder);
+        }
         return samlSSORespDTO;
     }
 
diff --git a/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/servlet/SAMLArtifactResolveServlet.java b/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/servlet/SAMLArtifactResolveServlet.java
index d9d81ff17..4781b8a6a 100644
--- a/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/servlet/SAMLArtifactResolveServlet.java
+++ b/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/servlet/SAMLArtifactResolveServlet.java
@@ -39,7 +39,6 @@
 import org.wso2.carbon.identity.sso.saml.exception.ArtifactBindingException;
 import org.wso2.carbon.identity.sso.saml.exception.IdentitySAML2SSOException;
 import org.wso2.carbon.identity.sso.saml.util.SAMLSSOUtil;
-import org.wso2.carbon.ui.CarbonUIUtil;
 
 import java.io.ByteArrayOutputStream;
 import java.io.IOException;
@@ -49,9 +48,7 @@
 import java.net.URLDecoder;
 import java.net.URLEncoder;
 import java.nio.charset.StandardCharsets;
-import java.util.HashMap;
 import java.util.Iterator;
-import java.util.Map;
 import javax.servlet.ServletException;
 import javax.servlet.http.HttpServlet;
 import javax.servlet.http.HttpServletRequest;
diff --git a/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/servlet/SAMLSSOProviderServlet.java b/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/servlet/SAMLSSOProviderServlet.java
index 96540bcf4..36614b5a4 100644
--- a/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/servlet/SAMLSSOProviderServlet.java
+++ b/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/servlet/SAMLSSOProviderServlet.java
@@ -46,6 +46,7 @@
 import org.wso2.carbon.identity.application.mgt.ApplicationManagementService;
 import org.wso2.carbon.identity.base.IdentityConstants;
 import org.wso2.carbon.identity.base.IdentityException;
+import org.wso2.carbon.identity.central.log.mgt.utils.LoggerUtils;
 import org.wso2.carbon.identity.core.ServiceURLBuilder;
 import org.wso2.carbon.identity.core.URLBuilderException;
 import org.wso2.carbon.identity.core.model.IdentityCookieConfig;
@@ -84,6 +85,7 @@
 import org.wso2.carbon.idp.mgt.util.IdPManagementUtil;
 import org.wso2.carbon.registry.core.utils.UUIDGenerator;
 import org.wso2.carbon.user.api.UserStoreException;
+import org.wso2.carbon.utils.DiagnosticLog;
 import org.wso2.carbon.utils.multitenancy.MultitenantConstants;
 
 import java.io.IOException;
@@ -112,6 +114,7 @@
 import javax.xml.transform.TransformerException;
 
 import static org.wso2.carbon.identity.application.authentication.framework.util.FrameworkConstants.RequestParams.TENANT_DOMAIN;
+import static org.wso2.carbon.identity.sso.saml.SAMLSSOConstants.SAML_INBOUND_SERVICE;
 
 /**
  * This is the entry point for authentication process in an SSO scenario. This servlet is registered
@@ -627,6 +630,15 @@ private void handleIdPInitSSO(HttpServletRequest req, HttpServletResponse resp,
                                   boolean isPost, boolean isLogout) throws UserStoreException, IdentityException,
                                                                       IOException, ServletException {
 
+        if (LoggerUtils.isDiagnosticLogsEnabled()) {
+            DiagnosticLog.DiagnosticLogBuilder diagnosticLogBuilder = new DiagnosticLog.DiagnosticLogBuilder(
+                    SAML_INBOUND_SERVICE, "saml-request-handle");
+            diagnosticLogBuilder.resultMessage("Handling IdP Initiated SSO request.")
+                    .logDetailLevel(DiagnosticLog.LogDetailLevel.APPLICATION)
+                    .resultStatus(DiagnosticLog.ResultStatus.SUCCESS)
+                    .inputParam("queryString", queryString);
+            LoggerUtils.triggerDiagnosticLogEvent(diagnosticLogBuilder);
+        }
         String rpSessionId = req.getParameter(MultitenantConstants.SSO_AUTH_SESSION_ID);
         SAMLSSOService samlSSOService = new SAMLSSOService();
 
@@ -747,6 +759,15 @@ private void handleSPInitSSO(HttpServletRequest req, HttpServletResponse resp,
                                  String samlRequest, String sessionId, boolean isPost)
             throws UserStoreException, IdentityException, IOException, ServletException {
 
+        if (LoggerUtils.isDiagnosticLogsEnabled()) {
+            DiagnosticLog.DiagnosticLogBuilder diagnosticLogBuilder = new DiagnosticLog.DiagnosticLogBuilder(
+                    SAML_INBOUND_SERVICE, "saml-request-handle");
+            diagnosticLogBuilder.resultMessage("Handling SP Initiated SSO request.")
+                    .logDetailLevel(DiagnosticLog.LogDetailLevel.APPLICATION)
+                    .resultStatus(DiagnosticLog.ResultStatus.SUCCESS)
+                    .inputParam("queryString", queryString);
+            LoggerUtils.triggerDiagnosticLogEvent(diagnosticLogBuilder);
+        }
         String rpSessionId = req.getParameter(MultitenantConstants.SSO_AUTH_SESSION_ID);
         SAMLSSOService samlSSOService = new SAMLSSOService();
 
@@ -1100,6 +1121,17 @@ private void handleAuthenticationReponseFromFramework(HttpServletRequest req, Ht
                                                           String sessionId, SAMLSSOSessionDTO sessionDTO)
             throws UserStoreException, IdentityException, IOException, ServletException {
 
+        if (LoggerUtils.isDiagnosticLogsEnabled()) {
+            DiagnosticLog.DiagnosticLogBuilder diagnosticLogBuilder = new DiagnosticLog.DiagnosticLogBuilder(
+                    SAML_INBOUND_SERVICE, "receive-authn-response");
+            diagnosticLogBuilder.resultMessage("Received authentication response from framework")
+                    .resultStatus(DiagnosticLog.ResultStatus.SUCCESS)
+                    .logDetailLevel(DiagnosticLog.LogDetailLevel.INTERNAL_SYSTEM)
+                    .inputParam("SAMLIssuer", sessionDTO.getIssuer())
+                    .inputParam("authenticatedUser", LoggerUtils.isLogMaskingEnable ? LoggerUtils.getMaskedContent(
+                            sessionDTO.getSubject()) : sessionDTO.getSubject());
+            LoggerUtils.triggerDiagnosticLogEvent(diagnosticLogBuilder);
+        }
         String sessionDataKey = getSessionDataKey(req);
         AuthenticationResult authResult = getAuthenticationResult(req, sessionDataKey);
 
@@ -1670,6 +1702,14 @@ private void sendRequestToFramework(HttpServletRequest request, HttpServletRespo
         CommonAuthResponseWrapper responseWrapper = new CommonAuthResponseWrapper(response);
         commonAuthenticationHandler.doGet(request, responseWrapper);
 
+        if (LoggerUtils.isDiagnosticLogsEnabled()) {
+            DiagnosticLog.DiagnosticLogBuilder diagnosticLogBuilder = new DiagnosticLog.DiagnosticLogBuilder(
+                    SAML_INBOUND_SERVICE, "hand-over-to-framework");
+            diagnosticLogBuilder.resultMessage("Forward SAML request to framework for user authentication.")
+                    .resultStatus(DiagnosticLog.ResultStatus.SUCCESS)
+                    .logDetailLevel(DiagnosticLog.LogDetailLevel.INTERNAL_SYSTEM);
+            LoggerUtils.triggerDiagnosticLogEvent(diagnosticLogBuilder);
+        }
         Object object = request.getAttribute(FrameworkConstants.RequestParams.FLOW_STATUS);
         if (object != null) {
             AuthenticatorFlowStatus status = (AuthenticatorFlowStatus) object;

From 2556dd4fe3b002de27bff84641a3c3c16728d745 Mon Sep 17 00:00:00 2001
From: Sahan Dilshan <sahandilshan222@gmail.com>
Date: Sun, 16 Jul 2023 22:24:54 +0530
Subject: [PATCH 2/7] Add diagnostic logs for idp based saml requests

---
 .../IdPInitLogoutRequestProcessor.java        | 63 ++++++++++++-
 .../IdPInitSSOAuthnRequestProcessor.java      | 36 ++++++++
 .../saml/servlet/SAMLSSOProviderServlet.java  | 90 +++++++++++--------
 3 files changed, 152 insertions(+), 37 deletions(-)

diff --git a/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/processors/IdPInitLogoutRequestProcessor.java b/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/processors/IdPInitLogoutRequestProcessor.java
index 088c8f89e..eca0cd523 100644
--- a/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/processors/IdPInitLogoutRequestProcessor.java
+++ b/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/processors/IdPInitLogoutRequestProcessor.java
@@ -21,6 +21,7 @@
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.wso2.carbon.identity.base.IdentityException;
+import org.wso2.carbon.identity.central.log.mgt.utils.LoggerUtils;
 import org.wso2.carbon.identity.core.model.SAMLSSOServiceProviderDO;
 import org.wso2.carbon.identity.sso.saml.SAMLSSOConstants;
 import org.wso2.carbon.identity.sso.saml.dto.QueryParamDTO;
@@ -29,10 +30,12 @@
 import org.wso2.carbon.identity.sso.saml.session.SessionInfoData;
 import org.wso2.carbon.identity.sso.saml.util.SAMLSSOUtil;
 import org.wso2.carbon.user.api.UserStoreException;
+import org.wso2.carbon.utils.DiagnosticLog;
 import org.wso2.carbon.utils.multitenancy.MultitenantConstants;
 
 import java.util.Map;
 
+import static org.wso2.carbon.identity.sso.saml.SAMLSSOConstants.SAML_INBOUND_SERVICE;
 import static org.wso2.carbon.identity.sso.saml.util.SAMLSSOUtil.splitAppendedTenantDomain;
 
 public class IdPInitLogoutRequestProcessor implements IdpInitSSOLogoutRequestProcessor{
@@ -70,6 +73,24 @@ public SAMLSSOReqValidationResponseDTO process(String sessionId, QueryParamDTO[]
 
         init(queryParamDTOs);
 
+        DiagnosticLog.DiagnosticLogBuilder finalizeDiagLogBuilder = new DiagnosticLog.DiagnosticLogBuilder(
+                SAML_INBOUND_SERVICE, "saml-logout-processing");
+        if (LoggerUtils.isDiagnosticLogsEnabled()) {
+            DiagnosticLog.DiagnosticLogBuilder initializeDiagLogBuilder = new DiagnosticLog.DiagnosticLogBuilder(
+                    SAML_INBOUND_SERVICE, "saml-logout-processing");
+            initializeDiagLogBuilder.resultMessage("Processing IDP initiated logout request.")
+                    .logDetailLevel(DiagnosticLog.LogDetailLevel.APPLICATION)
+                    .resultStatus(DiagnosticLog.ResultStatus.SUCCESS)
+                    .inputParam("server url", serverURL);
+            if (StringUtils.isNotBlank(returnTo)) {
+                initializeDiagLogBuilder.inputParam("return to", returnTo);
+            }
+            if (StringUtils.isNotBlank(spEntityID)) {
+                initializeDiagLogBuilder.inputParam("sp entity id", spEntityID);
+            }
+            LoggerUtils.triggerDiagnosticLogEvent(initializeDiagLogBuilder);
+
+        }
         SAMLSSOReqValidationResponseDTO validationResponseDTO = new SAMLSSOReqValidationResponseDTO();
 
         try {
@@ -80,6 +101,10 @@ public SAMLSSOReqValidationResponseDTO process(String sessionId, QueryParamDTO[]
                 log.error(SAMLSSOConstants.Notification.INVALID_SESSION);
                 validationResponseDTO.setValid(false);
                 validationResponseDTO.setLogoutFromAuthFramework(true);
+                if (LoggerUtils.isDiagnosticLogsEnabled()) {
+                    finalizeDiagLogBuilder.resultStatus(DiagnosticLog.ResultStatus.FAILED)
+                            .resultMessage(SAMLSSOConstants.Notification.INVALID_SESSION);
+                }
                 return validationResponseDTO;
             }
 
@@ -93,6 +118,10 @@ public SAMLSSOReqValidationResponseDTO process(String sessionId, QueryParamDTO[]
                 log.error(SAMLSSOConstants.Notification.INVALID_SESSION);
                 validationResponseDTO.setValid(false);
                 validationResponseDTO.setLogoutFromAuthFramework(true);
+                if (LoggerUtils.isDiagnosticLogsEnabled()) {
+                    finalizeDiagLogBuilder.resultStatus(DiagnosticLog.ResultStatus.FAILED)
+                            .resultMessage(SAMLSSOConstants.Notification.INVALID_SESSION);
+                }
                 return validationResponseDTO;
             }
             validationResponseDTO.setSessionIndex(sessionIndex);
@@ -103,6 +132,10 @@ public SAMLSSOReqValidationResponseDTO process(String sessionId, QueryParamDTO[]
                 if (StringUtils.isNotBlank(returnTo)) {
                     log.error(SAMLSSOConstants.Notification.NO_SP_ENTITY_PARAM);
                     validationResponseDTO.setValid(false);
+                    if (LoggerUtils.isDiagnosticLogsEnabled()) {
+                        finalizeDiagLogBuilder.resultStatus(DiagnosticLog.ResultStatus.FAILED)
+                                .resultMessage(SAMLSSOConstants.Notification.NO_SP_ENTITY_PARAM);
+                    }
                     return validationResponseDTO;
                 }
 
@@ -114,12 +147,21 @@ public SAMLSSOReqValidationResponseDTO process(String sessionId, QueryParamDTO[]
                 if (logoutReqIssuer == null) {
                     log.error(String.format(SAMLSSOConstants.Notification.INVALID_SP_ENTITY_ID, spEntityID));
                     validationResponseDTO.setValid(false);
+                    if (LoggerUtils.isDiagnosticLogsEnabled()) {
+                        finalizeDiagLogBuilder.resultStatus(DiagnosticLog.ResultStatus.FAILED)
+                                .resultMessage(SAMLSSOConstants.Notification.INVALID_SP_ENTITY_ID);
+                    }
                     return validationResponseDTO;
                 }
 
                 if (!logoutReqIssuer.isIdPInitSLOEnabled()) {
-                    log.error(String.format(SAMLSSOConstants.Notification.IDP_SLO_NOT_ENABLED, spEntityID));
+                    String errorMsg = String.format(SAMLSSOConstants.Notification.IDP_SLO_NOT_ENABLED, spEntityID);
+                    log.error(errorMsg);
                     validationResponseDTO.setValid(false);
+                    if (LoggerUtils.isDiagnosticLogsEnabled()) {
+                        finalizeDiagLogBuilder.resultStatus(DiagnosticLog.ResultStatus.FAILED)
+                                .resultMessage(errorMsg);
+                    }
                     return validationResponseDTO;
                 }
 
@@ -128,6 +170,10 @@ public SAMLSSOReqValidationResponseDTO process(String sessionId, QueryParamDTO[]
                             .getAssertionConsumerUrlList().contains(returnTo)) {
                         log.error(SAMLSSOConstants.Notification.INVALID_RETURN_TO_URL);
                         validationResponseDTO.setValid(false);
+                        if (LoggerUtils.isDiagnosticLogsEnabled()) {
+                            finalizeDiagLogBuilder.resultStatus(DiagnosticLog.ResultStatus.FAILED)
+                                    .resultMessage(SAMLSSOConstants.Notification.INVALID_RETURN_TO_URL);
+                        }
                         return validationResponseDTO;
                     }
                     validationResponseDTO.setReturnToURL(returnTo);
@@ -138,9 +184,24 @@ public SAMLSSOReqValidationResponseDTO process(String sessionId, QueryParamDTO[]
                 SAMLSSOUtil.setTenantDomainInThreadLocal(logoutReqIssuer.getTenantDomain());
             }
             validationResponseDTO.setValid(true);
+            if (LoggerUtils.isDiagnosticLogsEnabled()) {
+                finalizeDiagLogBuilder.resultMessage("Successfully processed IDP initiated logout request.")
+                        .resultStatus(DiagnosticLog.ResultStatus.SUCCESS);
+
+            }
 
         } catch (UserStoreException | IdentityException e) {
+            if (LoggerUtils.isDiagnosticLogsEnabled()) {
+                finalizeDiagLogBuilder.resultStatus(DiagnosticLog.ResultStatus.FAILED)
+                        .resultMessage("Error while processing IDP initiated logout request.")
+                        .inputParam("error message", e.getMessage());
+            }
             throw IdentityException.error(SAMLSSOConstants.Notification.IDP_SLO_VALIDATE_ERROR, e);
+        } finally {
+            if (LoggerUtils.isDiagnosticLogsEnabled()) {
+                finalizeDiagLogBuilder.logDetailLevel(DiagnosticLog.LogDetailLevel.APPLICATION);
+                LoggerUtils.triggerDiagnosticLogEvent(finalizeDiagLogBuilder);
+            }
         }
         return validationResponseDTO;
     }
diff --git a/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/processors/IdPInitSSOAuthnRequestProcessor.java b/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/processors/IdPInitSSOAuthnRequestProcessor.java
index a42fcd4ea..b8b52a413 100644
--- a/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/processors/IdPInitSSOAuthnRequestProcessor.java
+++ b/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/processors/IdPInitSSOAuthnRequestProcessor.java
@@ -23,6 +23,7 @@
 import org.opensaml.saml.saml2.core.Response;
 import org.wso2.carbon.context.PrivilegedCarbonContext;
 import org.wso2.carbon.identity.base.IdentityException;
+import org.wso2.carbon.identity.central.log.mgt.utils.LoggerUtils;
 import org.wso2.carbon.identity.core.model.SAMLSSOServiceProviderDO;
 import org.wso2.carbon.identity.sso.saml.SAMLSSOConstants;
 import org.wso2.carbon.identity.sso.saml.SSOServiceProviderConfigManager;
@@ -35,16 +36,30 @@
 import org.wso2.carbon.identity.sso.saml.session.SSOSessionPersistenceManager;
 import org.wso2.carbon.identity.sso.saml.util.SAMLSSOUtil;
 import org.wso2.carbon.registry.core.utils.UUIDGenerator;
+import org.wso2.carbon.utils.DiagnosticLog;
 
 import java.util.ArrayList;
 import java.util.List;
 
+import static org.wso2.carbon.identity.sso.saml.SAMLSSOConstants.SAML_INBOUND_SERVICE;
+
 public class IdPInitSSOAuthnRequestProcessor implements SSOAuthnRequestProcessor {
 
     private static final Log log = LogFactory.getLog(IdPInitSSOAuthnRequestProcessor.class);
 
     public SAMLSSORespDTO process(SAMLSSOAuthnReqDTO authnReqDTO, String sessionId,
                                   boolean isAuthenticated, String authenticators, String authMode) throws Exception {
+
+        if (LoggerUtils.isDiagnosticLogsEnabled()) {
+            DiagnosticLog.DiagnosticLogBuilder diagnosticLogBuilder = new DiagnosticLog.DiagnosticLogBuilder(
+                    SAML_INBOUND_SERVICE, "saml-request-validation");
+            diagnosticLogBuilder.resultMessage("Validating SP initiated SAML Authentication Request.")
+                    .inputParam("saml request", authnReqDTO.getRequestMessageString())
+                    .inputParam("auth mode", authMode)
+                    .resultStatus(DiagnosticLog.ResultStatus.SUCCESS)
+                    .logDetailLevel(DiagnosticLog.LogDetailLevel.APPLICATION);
+            LoggerUtils.triggerDiagnosticLogEvent(diagnosticLogBuilder);
+        }
         try {
             SAMLSSOServiceProviderDO serviceProviderConfigs = getServiceProviderConfig(authnReqDTO);
 
@@ -193,6 +208,17 @@ public SAMLSSORespDTO process(SAMLSSOAuthnReqDTO authnReqDTO, String sessionId,
                     log.debug(samlssoRespDTO.getRespString());
                 }
             }
+            if (LoggerUtils.isDiagnosticLogsEnabled()) {
+                DiagnosticLog.DiagnosticLogBuilder diagnosticLogBuilder = new DiagnosticLog.DiagnosticLogBuilder(
+                        SAML_INBOUND_SERVICE, "saml-request-validation");
+                diagnosticLogBuilder.resultMessage("SAML Request validation successful.")
+                        .inputParam("consumer url", samlssoRespDTO.getAssertionConsumerURL())
+                        .inputParam("user id", samlssoRespDTO.getSubject().getUserId())
+                        .inputParam("issuer", authnReqDTO.getIssuer())
+                        .resultStatus(DiagnosticLog.ResultStatus.SUCCESS)
+                        .logDetailLevel(DiagnosticLog.LogDetailLevel.APPLICATION);
+                LoggerUtils.triggerDiagnosticLogEvent(diagnosticLogBuilder);
+            }
             return samlssoRespDTO;
         } catch (Exception e) {
             log.error("Error processing the authentication request", e);
@@ -309,6 +335,16 @@ private SAMLSSORespDTO buildErrorResponse(String id, List<String> statusCodeList
 
         samlSSORespDTO.setRespString(encodedResponse);
         samlSSORespDTO.setSessionEstablished(false);
+        if (LoggerUtils.isDiagnosticLogsEnabled()) {
+            DiagnosticLog.DiagnosticLogBuilder diagnosticLogBuilder = new DiagnosticLog.DiagnosticLogBuilder(
+                    SAML_INBOUND_SERVICE, "saml-request-validation");
+            diagnosticLogBuilder.logDetailLevel(DiagnosticLog.LogDetailLevel.APPLICATION)
+                    .inputParam("saml request", id)
+                    .inputParam("error saml response", encodedResponse)
+                    .resultMessage("An error occurred while processing the SAML request.")
+                    .resultStatus(DiagnosticLog.ResultStatus.FAILED);
+            LoggerUtils.triggerDiagnosticLogEvent(diagnosticLogBuilder);
+        }
         return samlSSORespDTO;
     }
 }
diff --git a/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/servlet/SAMLSSOProviderServlet.java b/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/servlet/SAMLSSOProviderServlet.java
index 36614b5a4..ad1453986 100644
--- a/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/servlet/SAMLSSOProviderServlet.java
+++ b/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/servlet/SAMLSSOProviderServlet.java
@@ -572,56 +572,74 @@ private void sendNotification(String errorResp, String status, String message,
                                   String acUrl, HttpServletRequest req,
                                   HttpServletResponse resp) throws ServletException, IOException {
 
+        DiagnosticLog.DiagnosticLogBuilder diagnosticLogBuilder = new DiagnosticLog.DiagnosticLogBuilder(
+                SAML_INBOUND_SERVICE, "saml-request-send-notification");
+        if (LoggerUtils.isDiagnosticLogsEnabled()) {
+            diagnosticLogBuilder.resultMessage("An error occurred while processing the SAML request. Prompts user " +
+                            "a notification.")
+            .logDetailLevel(DiagnosticLog.LogDetailLevel.APPLICATION)
+            .resultStatus(DiagnosticLog.ResultStatus.FAILED)
+            .inputParam(SAMLSSOConstants.ASSRTN_CONSUMER_URL, acUrl)
+            .inputParam(SAMLSSOConstants.STATUS, status)
+            .inputParam(SAMLSSOConstants.STATUS_MSG, message)
+            .inputParam(SAMLSSOConstants.SAML_RESP, errorResp);
+        }
         if (isSAMLECPRequest(req)) {
             sendNotificationForECPRequest(resp, errorResp, acUrl);
         } else {
             String redirectURL = SAMLSSOUtil.getNotificationEndpoint();
 
-        //TODO Send status codes rather than full messages in the GET request
-        String queryParams = "?" + SAMLSSOConstants.STATUS + "=" + URLEncoder.encode(status, "UTF-8") +
-                "&" + SAMLSSOConstants.STATUS_MSG + "=" + URLEncoder.encode(message, "UTF-8");
-
-        if (errorResp != null) {
-            queryParams += "&" + SAMLSSOConstants.SAML_RESP + "=" + URLEncoder.encode(errorResp, "UTF-8");
-        }
+            //TODO Send status codes rather than full messages in the GET request
+            String queryParams = "?" + SAMLSSOConstants.STATUS + "=" + URLEncoder.encode(status, "UTF-8") +
+                    "&" + SAMLSSOConstants.STATUS_MSG + "=" + URLEncoder.encode(message, "UTF-8");
 
-        // If the assertion consumer url is null, get it from the session.
-        if (StringUtils.isBlank(acUrl)) {
-            String sessionDataKey = getSessionDataKey(req);
-            SAMLSSOSessionDTO sessionDTO = null;
-            if (StringUtils.isNotBlank(sessionDataKey)) {
-                sessionDTO = getSessionDataFromCache(sessionDataKey);
+            if (errorResp != null) {
+                queryParams += "&" + SAMLSSOConstants.SAML_RESP + "=" + URLEncoder.encode(errorResp, "UTF-8");
             }
-            if (sessionDTO != null) {
-                acUrl = sessionDTO.getAssertionConsumerURL();
+
+            // If the assertion consumer url is null, get it from the session.
+            if (StringUtils.isBlank(acUrl)) {
+                String sessionDataKey = getSessionDataKey(req);
+                SAMLSSOSessionDTO sessionDTO = null;
+                if (StringUtils.isNotBlank(sessionDataKey)) {
+                    sessionDTO = getSessionDataFromCache(sessionDataKey);
+                }
+                if (sessionDTO != null) {
+                    acUrl = sessionDTO.getAssertionConsumerURL();
+                }
             }
-        }
 
-        if (StringUtils.isNotBlank(acUrl)) {
-            queryParams += "&" + SAMLSSOConstants.ASSRTN_CONSUMER_URL + "=" +
-                    URLEncoder.encode(acUrl, SAMLSSOConstants.ENCODING_FORMAT);
-        }
+            if (StringUtils.isNotBlank(acUrl)) {
+                queryParams += "&" + SAMLSSOConstants.ASSRTN_CONSUMER_URL + "=" +
+                        URLEncoder.encode(acUrl, SAMLSSOConstants.ENCODING_FORMAT);
+            }
 
-        String relayState = req.getParameter(SAMLSSOConstants.RELAY_STATE);
-        // If the request doesn't have a relay state, get it from the session.
-        if (StringUtils.isEmpty(relayState)) {
-            String sessionDataKey = getSessionDataKey(req);
-            SAMLSSOSessionDTO sessionDTO = null;
-            if (StringUtils.isNotEmpty(sessionDataKey)) {
-                sessionDTO = getSessionDataFromCache(sessionDataKey);
+            String relayState = req.getParameter(SAMLSSOConstants.RELAY_STATE);
+            // If the request doesn't have a relay state, get it from the session.
+            if (StringUtils.isEmpty(relayState)) {
+                String sessionDataKey = getSessionDataKey(req);
+                SAMLSSOSessionDTO sessionDTO = null;
+                if (StringUtils.isNotEmpty(sessionDataKey)) {
+                    sessionDTO = getSessionDataFromCache(sessionDataKey);
+                }
+                if (sessionDTO != null) {
+                    relayState = sessionDTO.getRelayState();
+                }
             }
-            if (sessionDTO != null) {
-                relayState = sessionDTO.getRelayState();
+
+            if (StringUtils.isNotEmpty(relayState)) {
+                queryParams += "&" + SAMLSSOConstants.RELAY_STATE + "=" +
+                        URLEncoder.encode(relayState, SAMLSSOConstants.ENCODING_FORMAT);
             }
-        }
 
-        if (StringUtils.isNotEmpty(relayState)) {
-            queryParams += "&" + SAMLSSOConstants.RELAY_STATE + "=" +
-                    URLEncoder.encode(relayState, SAMLSSOConstants.ENCODING_FORMAT);
+            String queryAppendedUrl = FrameworkUtils.appendQueryParamsStringToUrl(redirectURL, queryParams);
+            resp.sendRedirect(FrameworkUtils.getRedirectURL(queryAppendedUrl, req));
+            if (LoggerUtils.isDiagnosticLogsEnabled()) {
+                diagnosticLogBuilder.inputParam("redirectURL", redirectURL);
+            }
         }
-
-        String queryAppendedUrl = FrameworkUtils.appendQueryParamsStringToUrl(redirectURL, queryParams);
-        resp.sendRedirect(FrameworkUtils.getRedirectURL(queryAppendedUrl, req));
+        if (LoggerUtils.isDiagnosticLogsEnabled()) {
+            LoggerUtils.triggerDiagnosticLogEvent(diagnosticLogBuilder);
         }
     }
 

From ada6597b7714d9be50bd60d5cffb3d2152a16518 Mon Sep 17 00:00:00 2001
From: Sahan Dilshan <sahandilshan222@gmail.com>
Date: Sun, 16 Jul 2023 22:25:10 +0530
Subject: [PATCH 3/7] Format logs

---
 .../org.wso2.carbon.identity.sso.saml/pom.xml |  6 +++++-
 .../SPInitLogoutRequestProcessor.java         |  6 +++---
 .../SPInitSSOAuthnRequestProcessor.java       | 20 +++++++++----------
 3 files changed, 18 insertions(+), 14 deletions(-)

diff --git a/components/org.wso2.carbon.identity.sso.saml/pom.xml b/components/org.wso2.carbon.identity.sso.saml/pom.xml
index 83574ddb7..d3d9d922a 100644
--- a/components/org.wso2.carbon.identity.sso.saml/pom.xml
+++ b/components/org.wso2.carbon.identity.sso.saml/pom.xml
@@ -22,7 +22,7 @@
         <groupId>org.wso2.carbon.identity.inbound.auth.saml2</groupId>
         <artifactId>identity-inbound-auth-saml</artifactId>
         <relativePath>../../pom.xml</relativePath>
-        <version>5.11.16-SNAPSHOT</version>
+        <version>5.11.15</version>
     </parent>
 
     <modelVersion>4.0.0</modelVersion>
@@ -79,6 +79,10 @@
                 </exclusion>
             </exclusions>
         </dependency>
+        <dependency>
+            <groupId>org.wso2.carbon.identity.framework</groupId>
+            <artifactId>org.wso2.carbon.identity.central.log.mgt</artifactId>
+        </dependency>
         <dependency>
             <groupId>org.wso2.carbon</groupId>
             <artifactId>org.wso2.carbon.core</artifactId>
diff --git a/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/processors/SPInitLogoutRequestProcessor.java b/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/processors/SPInitLogoutRequestProcessor.java
index b7665fe90..11dec1c42 100644
--- a/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/processors/SPInitLogoutRequestProcessor.java
+++ b/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/processors/SPInitLogoutRequestProcessor.java
@@ -130,8 +130,8 @@ public SAMLSSOReqValidationResponseDTO process(LogoutRequest logoutRequest, Stri
                     diagnosticLogBuilder.resultMessage("Validating logout request.")
                             .logDetailLevel(DiagnosticLog.LogDetailLevel.INTERNAL_SYSTEM)
                             .inputParam("issuer", logoutRequest.getIssuer().getValue())
-                            .inputParam("validatorName", validator.getClass().getName())
-                            .inputParam("validationResult", validationResult.getValidationStatus());
+                            .inputParam("validator name", validator.getClass().getName())
+                            .inputParam("validation result", validationResult.getValidationStatus());
                     LoggerUtils.triggerDiagnosticLogEvent(diagnosticLogBuilder);
                 }
                 if (!validationResult.getValidationStatus()) {
@@ -220,7 +220,7 @@ public SAMLSSOReqValidationResponseDTO process(LogoutRequest logoutRequest, Stri
                         .logDetailLevel(DiagnosticLog.LogDetailLevel.APPLICATION)
                         .resultStatus(DiagnosticLog.ResultStatus.SUCCESS)
                         .inputParam("issuer", reqValidationResponseDTO.getIssuer())
-                        .inputParam("consumerURL", reqValidationResponseDTO.getAssertionConsumerURL());
+                        .inputParam("consumer uRL", reqValidationResponseDTO.getAssertionConsumerURL());
                 LoggerUtils.triggerDiagnosticLogEvent(diagnosticLogBuilder);
             }
             return reqValidationResponseDTO;
diff --git a/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/processors/SPInitSSOAuthnRequestProcessor.java b/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/processors/SPInitSSOAuthnRequestProcessor.java
index e0b7750e7..571c4b6c9 100644
--- a/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/processors/SPInitSSOAuthnRequestProcessor.java
+++ b/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/processors/SPInitSSOAuthnRequestProcessor.java
@@ -56,9 +56,9 @@ public SAMLSSORespDTO process(SAMLSSOAuthnReqDTO authnReqDTO, String sessionId,
         if (LoggerUtils.isDiagnosticLogsEnabled()) {
             DiagnosticLog.DiagnosticLogBuilder diagnosticLogBuilder = new DiagnosticLog.DiagnosticLogBuilder(
                     SAML_INBOUND_SERVICE, "saml-request-validation");
-            diagnosticLogBuilder.resultMessage("Validating SAML Authn Request.")
-                    .inputParam("SAMLRequest", authnReqDTO.getRequestMessageString())
-                    .inputParam("authMode", authMode)
+            diagnosticLogBuilder.resultMessage("Validating SP initiated SAML Authentication Request.")
+                    .inputParam("saml request", authnReqDTO.getRequestMessageString())
+                    .inputParam("auth mode", authMode)
                     .resultStatus(DiagnosticLog.ResultStatus.SUCCESS)
                     .logDetailLevel(DiagnosticLog.LogDetailLevel.APPLICATION);
             LoggerUtils.triggerDiagnosticLogEvent(diagnosticLogBuilder);
@@ -197,8 +197,8 @@ public SAMLSSORespDTO process(SAMLSSOAuthnReqDTO authnReqDTO, String sessionId,
                 DiagnosticLog.DiagnosticLogBuilder diagnosticLogBuilder = new DiagnosticLog.DiagnosticLogBuilder(
                         SAML_INBOUND_SERVICE, "saml-request-validation");
                 diagnosticLogBuilder.resultMessage("SAML Request validation successful.")
-                        .inputParam("consumerURL", samlssoRespDTO.getAssertionConsumerURL())
-                        .inputParam("userId", samlssoRespDTO.getSubject().getUserId())
+                        .inputParam("consumer url", samlssoRespDTO.getAssertionConsumerURL())
+                        .inputParam("user id", samlssoRespDTO.getSubject().getUserId())
                         .inputParam("issuer", authnReqDTO.getIssuer())
                         .resultStatus(DiagnosticLog.ResultStatus.SUCCESS)
                         .logDetailLevel(DiagnosticLog.LogDetailLevel.APPLICATION);
@@ -315,9 +315,9 @@ private SAMLSSORespDTO buildErrorResponse(String id, String status,
             DiagnosticLog.DiagnosticLogBuilder diagnosticLogBuilder = new DiagnosticLog.DiagnosticLogBuilder(
                     SAML_INBOUND_SERVICE, "saml-request-validation");
             diagnosticLogBuilder.logDetailLevel(DiagnosticLog.LogDetailLevel.APPLICATION)
-                    .inputParam("SAMLRequest", id)
-                    .inputParam("errorStatesCode", status)
-                    .inputParam("errorStatesMessage", statMsg)
+                    .inputParam("saml request", id)
+                    .inputParam("error states code", status)
+                    .inputParam("error states message", statMsg)
                     .inputParam("destination", destination)
                     .resultMessage("An error occurred while processing the SAML request.")
                     .resultStatus(DiagnosticLog.ResultStatus.FAILED);
@@ -340,8 +340,8 @@ private SAMLSSORespDTO buildErrorResponse(String id, List<String> statusCodeList
             DiagnosticLog.DiagnosticLogBuilder diagnosticLogBuilder = new DiagnosticLog.DiagnosticLogBuilder(
                     SAML_INBOUND_SERVICE, "saml-request-validation");
             diagnosticLogBuilder.logDetailLevel(DiagnosticLog.LogDetailLevel.APPLICATION)
-                    .inputParam("SAMLRequest", id)
-                    .inputParam("errorSAMLResponse", encodedResponse)
+                    .inputParam("saml request", id)
+                    .inputParam("error saml response", encodedResponse)
                     .resultMessage("An error occurred while processing the SAML request.")
                     .resultStatus(DiagnosticLog.ResultStatus.FAILED);
             LoggerUtils.triggerDiagnosticLogEvent(diagnosticLogBuilder);

From 0364749882c694ca7f6b3b89d2d548a784dc258b Mon Sep 17 00:00:00 2001
From: Sahan Dilshan <sahandilshan222@gmail.com>
Date: Mon, 24 Jul 2023 18:02:22 +0530
Subject: [PATCH 4/7] Improve diagnostic logs

---
 .../identity/sso/saml/SAMLSSOConstants.java   | 34 +++++++++-
 .../IdPInitLogoutRequestProcessor.java        | 33 +++++-----
 .../IdPInitSSOAuthnRequestProcessor.java      | 28 +++++---
 .../SPInitLogoutRequestProcessor.java         | 33 ++++++----
 .../SPInitSSOAuthnRequestProcessor.java       | 64 +++++++++----------
 .../saml/servlet/SAMLSSOProviderServlet.java  | 36 ++++++-----
 .../identity/sso/saml/util/SAMLSSOUtil.java   | 27 +++++++-
 pom.xml                                       |  6 +-
 8 files changed, 169 insertions(+), 92 deletions(-)

diff --git a/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/SAMLSSOConstants.java b/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/SAMLSSOConstants.java
index c259dfea0..58e2a7fbe 100644
--- a/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/SAMLSSOConstants.java
+++ b/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/SAMLSSOConstants.java
@@ -114,11 +114,43 @@ public class SAMLSSOConstants {
     public static final String CACHE_CONTROL_VALUE_NO_CACHE = "no-cache";
 
     public static final String IS_POST = "isPost";
-    public static final String SAML_INBOUND_SERVICE = "saml-inbound-service";
 
     private SAMLSSOConstants() {
     }
 
+    /**
+     * Constants related to log management.
+     */
+    public static class LogConstants {
+
+        public static final String SAML_INBOUND_SERVICE = "saml-inbound-service";
+
+        /**
+         * Define action IDs for diagnostic logs.
+         */
+        public static class ActionIDs {
+
+            public static final String PROCESS_SAML_LOGOUT = "process-saml-logout";
+            public static final String SAML_REQUEST_VALIDATION = "saml-request-validation";
+            public static final String SAML_LOGOUT_PROCESSING = "saml-logout-processing";
+            public static final String PROCESS_SAML_REQUEST = "process-saml-request";
+            public static final String HAND_OVER_TO_FRAMEWORK = "hand-over-to-framework";
+        }
+
+        /**
+         * Define common and reusable Input keys for diagnostic logs.
+         */
+        public static class InputKeys {
+
+            public static final String SAML_REQUEST = "saml request";
+            public static final String ISSUER = "issuer";
+            public static final String CONSUMER_URL = "consumer url";
+            public static final String AUTH_MODE = "auth mode";
+            public static final String ASSERTION_URL = "assertion url";
+            public static final String QUERY_STRING = "query string";
+        }
+    }
+
 
     public enum QueryParameter {
 
diff --git a/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/processors/IdPInitLogoutRequestProcessor.java b/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/processors/IdPInitLogoutRequestProcessor.java
index eca0cd523..2586c17d2 100644
--- a/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/processors/IdPInitLogoutRequestProcessor.java
+++ b/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/processors/IdPInitLogoutRequestProcessor.java
@@ -21,6 +21,7 @@
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.wso2.carbon.identity.base.IdentityException;
+import org.wso2.carbon.identity.central.log.mgt.utils.LogConstants;
 import org.wso2.carbon.identity.central.log.mgt.utils.LoggerUtils;
 import org.wso2.carbon.identity.core.model.SAMLSSOServiceProviderDO;
 import org.wso2.carbon.identity.sso.saml.SAMLSSOConstants;
@@ -35,7 +36,7 @@
 
 import java.util.Map;
 
-import static org.wso2.carbon.identity.sso.saml.SAMLSSOConstants.SAML_INBOUND_SERVICE;
+import static org.wso2.carbon.identity.sso.saml.SAMLSSOConstants.LogConstants.SAML_INBOUND_SERVICE;
 import static org.wso2.carbon.identity.sso.saml.util.SAMLSSOUtil.splitAppendedTenantDomain;
 
 public class IdPInitLogoutRequestProcessor implements IdpInitSSOLogoutRequestProcessor{
@@ -73,11 +74,14 @@ public SAMLSSOReqValidationResponseDTO process(String sessionId, QueryParamDTO[]
 
         init(queryParamDTOs);
 
-        DiagnosticLog.DiagnosticLogBuilder finalizeDiagLogBuilder = new DiagnosticLog.DiagnosticLogBuilder(
-                SAML_INBOUND_SERVICE, "saml-logout-processing");
+        // This finalizeDiagLogBuilder is used to log the final status of the logout flow.
+        DiagnosticLog.DiagnosticLogBuilder finalizeDiagLogBuilder = null;
         if (LoggerUtils.isDiagnosticLogsEnabled()) {
+            // Initialize finalizeDiagLogBuilder here to avoid initializing it in every if condition.
+            finalizeDiagLogBuilder = new DiagnosticLog.DiagnosticLogBuilder(
+                    SAML_INBOUND_SERVICE, SAMLSSOConstants.LogConstants.ActionIDs.PROCESS_SAML_LOGOUT);
             DiagnosticLog.DiagnosticLogBuilder initializeDiagLogBuilder = new DiagnosticLog.DiagnosticLogBuilder(
-                    SAML_INBOUND_SERVICE, "saml-logout-processing");
+                    SAML_INBOUND_SERVICE, SAMLSSOConstants.LogConstants.ActionIDs.PROCESS_SAML_LOGOUT);
             initializeDiagLogBuilder.resultMessage("Processing IDP initiated logout request.")
                     .logDetailLevel(DiagnosticLog.LogDetailLevel.APPLICATION)
                     .resultStatus(DiagnosticLog.ResultStatus.SUCCESS)
@@ -89,7 +93,6 @@ public SAMLSSOReqValidationResponseDTO process(String sessionId, QueryParamDTO[]
                 initializeDiagLogBuilder.inputParam("sp entity id", spEntityID);
             }
             LoggerUtils.triggerDiagnosticLogEvent(initializeDiagLogBuilder);
-
         }
         SAMLSSOReqValidationResponseDTO validationResponseDTO = new SAMLSSOReqValidationResponseDTO();
 
@@ -101,7 +104,7 @@ public SAMLSSOReqValidationResponseDTO process(String sessionId, QueryParamDTO[]
                 log.error(SAMLSSOConstants.Notification.INVALID_SESSION);
                 validationResponseDTO.setValid(false);
                 validationResponseDTO.setLogoutFromAuthFramework(true);
-                if (LoggerUtils.isDiagnosticLogsEnabled()) {
+                if (LoggerUtils.isDiagnosticLogsEnabled() && finalizeDiagLogBuilder != null) {
                     finalizeDiagLogBuilder.resultStatus(DiagnosticLog.ResultStatus.FAILED)
                             .resultMessage(SAMLSSOConstants.Notification.INVALID_SESSION);
                 }
@@ -118,7 +121,7 @@ public SAMLSSOReqValidationResponseDTO process(String sessionId, QueryParamDTO[]
                 log.error(SAMLSSOConstants.Notification.INVALID_SESSION);
                 validationResponseDTO.setValid(false);
                 validationResponseDTO.setLogoutFromAuthFramework(true);
-                if (LoggerUtils.isDiagnosticLogsEnabled()) {
+                if (LoggerUtils.isDiagnosticLogsEnabled() && finalizeDiagLogBuilder != null) {
                     finalizeDiagLogBuilder.resultStatus(DiagnosticLog.ResultStatus.FAILED)
                             .resultMessage(SAMLSSOConstants.Notification.INVALID_SESSION);
                 }
@@ -132,7 +135,7 @@ public SAMLSSOReqValidationResponseDTO process(String sessionId, QueryParamDTO[]
                 if (StringUtils.isNotBlank(returnTo)) {
                     log.error(SAMLSSOConstants.Notification.NO_SP_ENTITY_PARAM);
                     validationResponseDTO.setValid(false);
-                    if (LoggerUtils.isDiagnosticLogsEnabled()) {
+                    if (LoggerUtils.isDiagnosticLogsEnabled() && finalizeDiagLogBuilder != null) {
                         finalizeDiagLogBuilder.resultStatus(DiagnosticLog.ResultStatus.FAILED)
                                 .resultMessage(SAMLSSOConstants.Notification.NO_SP_ENTITY_PARAM);
                     }
@@ -147,7 +150,7 @@ public SAMLSSOReqValidationResponseDTO process(String sessionId, QueryParamDTO[]
                 if (logoutReqIssuer == null) {
                     log.error(String.format(SAMLSSOConstants.Notification.INVALID_SP_ENTITY_ID, spEntityID));
                     validationResponseDTO.setValid(false);
-                    if (LoggerUtils.isDiagnosticLogsEnabled()) {
+                    if (LoggerUtils.isDiagnosticLogsEnabled() && finalizeDiagLogBuilder != null) {
                         finalizeDiagLogBuilder.resultStatus(DiagnosticLog.ResultStatus.FAILED)
                                 .resultMessage(SAMLSSOConstants.Notification.INVALID_SP_ENTITY_ID);
                     }
@@ -158,7 +161,7 @@ public SAMLSSOReqValidationResponseDTO process(String sessionId, QueryParamDTO[]
                     String errorMsg = String.format(SAMLSSOConstants.Notification.IDP_SLO_NOT_ENABLED, spEntityID);
                     log.error(errorMsg);
                     validationResponseDTO.setValid(false);
-                    if (LoggerUtils.isDiagnosticLogsEnabled()) {
+                    if (LoggerUtils.isDiagnosticLogsEnabled() && finalizeDiagLogBuilder != null) {
                         finalizeDiagLogBuilder.resultStatus(DiagnosticLog.ResultStatus.FAILED)
                                 .resultMessage(errorMsg);
                     }
@@ -170,7 +173,7 @@ public SAMLSSOReqValidationResponseDTO process(String sessionId, QueryParamDTO[]
                             .getAssertionConsumerUrlList().contains(returnTo)) {
                         log.error(SAMLSSOConstants.Notification.INVALID_RETURN_TO_URL);
                         validationResponseDTO.setValid(false);
-                        if (LoggerUtils.isDiagnosticLogsEnabled()) {
+                        if (LoggerUtils.isDiagnosticLogsEnabled() && finalizeDiagLogBuilder != null) {
                             finalizeDiagLogBuilder.resultStatus(DiagnosticLog.ResultStatus.FAILED)
                                     .resultMessage(SAMLSSOConstants.Notification.INVALID_RETURN_TO_URL);
                         }
@@ -184,21 +187,21 @@ public SAMLSSOReqValidationResponseDTO process(String sessionId, QueryParamDTO[]
                 SAMLSSOUtil.setTenantDomainInThreadLocal(logoutReqIssuer.getTenantDomain());
             }
             validationResponseDTO.setValid(true);
-            if (LoggerUtils.isDiagnosticLogsEnabled()) {
+            if (LoggerUtils.isDiagnosticLogsEnabled() && finalizeDiagLogBuilder != null) {
                 finalizeDiagLogBuilder.resultMessage("Successfully processed IDP initiated logout request.")
                         .resultStatus(DiagnosticLog.ResultStatus.SUCCESS);
 
             }
 
         } catch (UserStoreException | IdentityException e) {
-            if (LoggerUtils.isDiagnosticLogsEnabled()) {
+            if (LoggerUtils.isDiagnosticLogsEnabled() && finalizeDiagLogBuilder != null) {
                 finalizeDiagLogBuilder.resultStatus(DiagnosticLog.ResultStatus.FAILED)
                         .resultMessage("Error while processing IDP initiated logout request.")
-                        .inputParam("error message", e.getMessage());
+                        .inputParam(LogConstants.InputKeys.ERROR_MESSAGE, e.getMessage());
             }
             throw IdentityException.error(SAMLSSOConstants.Notification.IDP_SLO_VALIDATE_ERROR, e);
         } finally {
-            if (LoggerUtils.isDiagnosticLogsEnabled()) {
+            if (LoggerUtils.isDiagnosticLogsEnabled() && finalizeDiagLogBuilder != null) {
                 finalizeDiagLogBuilder.logDetailLevel(DiagnosticLog.LogDetailLevel.APPLICATION);
                 LoggerUtils.triggerDiagnosticLogEvent(finalizeDiagLogBuilder);
             }
diff --git a/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/processors/IdPInitSSOAuthnRequestProcessor.java b/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/processors/IdPInitSSOAuthnRequestProcessor.java
index 9b8b9185c..0533ff0e1 100644
--- a/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/processors/IdPInitSSOAuthnRequestProcessor.java
+++ b/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/processors/IdPInitSSOAuthnRequestProcessor.java
@@ -23,6 +23,7 @@
 import org.opensaml.saml.saml2.core.Response;
 import org.wso2.carbon.context.PrivilegedCarbonContext;
 import org.wso2.carbon.identity.base.IdentityException;
+import org.wso2.carbon.identity.central.log.mgt.utils.LogConstants;
 import org.wso2.carbon.identity.central.log.mgt.utils.LoggerUtils;
 import org.wso2.carbon.identity.core.model.SAMLSSOServiceProviderDO;
 import org.wso2.carbon.identity.sso.saml.SAMLSSOConstants;
@@ -35,14 +36,16 @@
 import org.wso2.carbon.identity.sso.saml.internal.IdentitySAMLSSOServiceComponentHolder;
 import org.wso2.carbon.identity.sso.saml.session.SSOSessionPersistenceManager;
 import org.wso2.carbon.identity.sso.saml.util.SAMLSSOUtil;
-import org.wso2.carbon.registry.core.utils.UUIDGenerator;
 import org.wso2.carbon.utils.DiagnosticLog;
 
 import java.util.ArrayList;
 import java.util.List;
+import java.util.Optional;
 import java.util.UUID;
 
-import static org.wso2.carbon.identity.sso.saml.SAMLSSOConstants.SAML_INBOUND_SERVICE;
+import static org.wso2.carbon.identity.sso.saml.SAMLSSOConstants.LogConstants.ActionIDs.SAML_REQUEST_VALIDATION;
+import static org.wso2.carbon.identity.sso.saml.SAMLSSOConstants.LogConstants.InputKeys.SAML_REQUEST;
+import static org.wso2.carbon.identity.sso.saml.SAMLSSOConstants.LogConstants.SAML_INBOUND_SERVICE;
 
 public class IdPInitSSOAuthnRequestProcessor implements SSOAuthnRequestProcessor {
 
@@ -53,9 +56,9 @@ public SAMLSSORespDTO process(SAMLSSOAuthnReqDTO authnReqDTO, String sessionId,
 
         if (LoggerUtils.isDiagnosticLogsEnabled()) {
             DiagnosticLog.DiagnosticLogBuilder diagnosticLogBuilder = new DiagnosticLog.DiagnosticLogBuilder(
-                    SAML_INBOUND_SERVICE, "saml-request-validation");
+                    SAML_INBOUND_SERVICE, SAML_REQUEST_VALIDATION);
             diagnosticLogBuilder.resultMessage("Validating SP initiated SAML Authentication Request.")
-                    .inputParam("saml request", authnReqDTO.getRequestMessageString())
+                    .inputParam(SAML_REQUEST, authnReqDTO.getRequestMessageString())
                     .inputParam("auth mode", authMode)
                     .resultStatus(DiagnosticLog.ResultStatus.SUCCESS)
                     .logDetailLevel(DiagnosticLog.LogDetailLevel.APPLICATION);
@@ -211,13 +214,20 @@ public SAMLSSORespDTO process(SAMLSSOAuthnReqDTO authnReqDTO, String sessionId,
             }
             if (LoggerUtils.isDiagnosticLogsEnabled()) {
                 DiagnosticLog.DiagnosticLogBuilder diagnosticLogBuilder = new DiagnosticLog.DiagnosticLogBuilder(
-                        SAML_INBOUND_SERVICE, "saml-request-validation");
+                        SAML_INBOUND_SERVICE, SAML_REQUEST_VALIDATION);
                 diagnosticLogBuilder.resultMessage("SAML Request validation successful.")
                         .inputParam("consumer url", samlssoRespDTO.getAssertionConsumerURL())
-                        .inputParam("user id", samlssoRespDTO.getSubject().getUserId())
-                        .inputParam("issuer", authnReqDTO.getIssuer())
+                        .inputParam(LogConstants.InputKeys.USER_ID, samlssoRespDTO.getSubject().getUserId())
+                        .inputParam(SAMLSSOConstants.LogConstants.InputKeys.ISSUER, authnReqDTO.getIssuer())
                         .resultStatus(DiagnosticLog.ResultStatus.SUCCESS)
                         .logDetailLevel(DiagnosticLog.LogDetailLevel.APPLICATION);
+                Optional.ofNullable(samlssoRespDTO.getSubject()).ifPresent(subject -> {
+                            String userName = LoggerUtils.isLogMaskingEnable ? LoggerUtils.getMaskedContent(
+                                    subject.getUserName()) : subject.getUserName();
+                            diagnosticLogBuilder.inputParam(LogConstants.InputKeys.USER_ID,
+                                            SAMLSSOUtil.getUserId(subject))
+                                    .inputParam(LogConstants.InputKeys.USER, userName);
+                        });
                 LoggerUtils.triggerDiagnosticLogEvent(diagnosticLogBuilder);
             }
             return samlssoRespDTO;
@@ -338,9 +348,9 @@ private SAMLSSORespDTO buildErrorResponse(String id, List<String> statusCodeList
         samlSSORespDTO.setSessionEstablished(false);
         if (LoggerUtils.isDiagnosticLogsEnabled()) {
             DiagnosticLog.DiagnosticLogBuilder diagnosticLogBuilder = new DiagnosticLog.DiagnosticLogBuilder(
-                    SAML_INBOUND_SERVICE, "saml-request-validation");
+                    SAML_INBOUND_SERVICE, SAML_REQUEST_VALIDATION);
             diagnosticLogBuilder.logDetailLevel(DiagnosticLog.LogDetailLevel.APPLICATION)
-                    .inputParam("saml request", id)
+                    .inputParam(SAML_REQUEST, id)
                     .inputParam("error saml response", encodedResponse)
                     .resultMessage("An error occurred while processing the SAML request.")
                     .resultStatus(DiagnosticLog.ResultStatus.FAILED);
diff --git a/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/processors/SPInitLogoutRequestProcessor.java b/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/processors/SPInitLogoutRequestProcessor.java
index 11dec1c42..858aff6fd 100644
--- a/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/processors/SPInitLogoutRequestProcessor.java
+++ b/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/processors/SPInitLogoutRequestProcessor.java
@@ -25,6 +25,7 @@
 import org.wso2.carbon.context.PrivilegedCarbonContext;
 import org.wso2.carbon.identity.application.common.util.IdentityApplicationManagementUtil;
 import org.wso2.carbon.identity.base.IdentityException;
+import org.wso2.carbon.identity.central.log.mgt.utils.LogConstants;
 import org.wso2.carbon.identity.central.log.mgt.utils.LoggerUtils;
 import org.wso2.carbon.identity.core.model.SAMLSSOServiceProviderDO;
 import org.wso2.carbon.identity.core.util.IdentityTenantUtil;
@@ -50,7 +51,8 @@
 import java.util.Map;
 import java.util.function.Function;
 
-import static org.wso2.carbon.identity.sso.saml.SAMLSSOConstants.SAML_INBOUND_SERVICE;
+import static org.wso2.carbon.identity.sso.saml.SAMLSSOConstants.LogConstants.ActionIDs.SAML_LOGOUT_PROCESSING;
+import static org.wso2.carbon.identity.sso.saml.SAMLSSOConstants.LogConstants.SAML_INBOUND_SERVICE;
 
 /**
  * Handles validation of SP initiated logout requests.
@@ -97,11 +99,11 @@ public SAMLSSOReqValidationResponseDTO process(LogoutRequest logoutRequest, Stri
         reqValidationResponseDTO.setLogOutReq(true);
         if (LoggerUtils.isDiagnosticLogsEnabled()) {
             DiagnosticLog.DiagnosticLogBuilder diagnosticLogBuilder = new DiagnosticLog.DiagnosticLogBuilder(
-                    SAML_INBOUND_SERVICE, "saml-logout-processing");
+                    SAML_INBOUND_SERVICE, SAML_LOGOUT_PROCESSING);
             diagnosticLogBuilder.resultMessage("Processing SP initiated logout request.")
                     .logDetailLevel(DiagnosticLog.LogDetailLevel.APPLICATION)
                     .resultStatus(DiagnosticLog.ResultStatus.SUCCESS)
-                    .inputParam("issuer", logoutRequest.getIssuer().getValue())
+                    .inputParam(SAMLSSOConstants.LogConstants.InputKeys.ISSUER, logoutRequest.getIssuer().getValue())
                     .inputParam("reason", logoutRequest.getReason());
             LoggerUtils.triggerDiagnosticLogEvent(diagnosticLogBuilder);
         }
@@ -126,10 +128,11 @@ public SAMLSSOReqValidationResponseDTO process(LogoutRequest logoutRequest, Stri
                 ValidationResult<SAMLSSOReqValidationResponseDTO> validationResult = validator.apply(logoutRequest);
                 if (LoggerUtils.isDiagnosticLogsEnabled()) {
                     DiagnosticLog.DiagnosticLogBuilder diagnosticLogBuilder = new DiagnosticLog.DiagnosticLogBuilder(
-                            SAML_INBOUND_SERVICE, "saml-logout-processing");
+                            SAML_INBOUND_SERVICE, SAML_LOGOUT_PROCESSING);
                     diagnosticLogBuilder.resultMessage("Validating logout request.")
                             .logDetailLevel(DiagnosticLog.LogDetailLevel.INTERNAL_SYSTEM)
-                            .inputParam("issuer", logoutRequest.getIssuer().getValue())
+                            .inputParam(SAMLSSOConstants.LogConstants.InputKeys.ISSUER,
+                                    logoutRequest.getIssuer().getValue())
                             .inputParam("validator name", validator.getClass().getName())
                             .inputParam("validation result", validationResult.getValidationStatus());
                     LoggerUtils.triggerDiagnosticLogEvent(diagnosticLogBuilder);
@@ -215,23 +218,24 @@ public SAMLSSOReqValidationResponseDTO process(LogoutRequest logoutRequest, Stri
 
             if (LoggerUtils.isDiagnosticLogsEnabled()) {
                 DiagnosticLog.DiagnosticLogBuilder diagnosticLogBuilder = new DiagnosticLog.DiagnosticLogBuilder(
-                        SAML_INBOUND_SERVICE, "saml-logout-processing");
+                        SAML_INBOUND_SERVICE, SAML_LOGOUT_PROCESSING);
                 diagnosticLogBuilder.resultMessage("Successfully processed SP initiated logout request.")
                         .logDetailLevel(DiagnosticLog.LogDetailLevel.APPLICATION)
                         .resultStatus(DiagnosticLog.ResultStatus.SUCCESS)
-                        .inputParam("issuer", reqValidationResponseDTO.getIssuer())
-                        .inputParam("consumer uRL", reqValidationResponseDTO.getAssertionConsumerURL());
+                        .inputParam(SAMLSSOConstants.LogConstants.InputKeys.ISSUER, reqValidationResponseDTO.getIssuer())
+                        .inputParam(SAMLSSOConstants.LogConstants.InputKeys.CONSUMER_URL,
+                                reqValidationResponseDTO.getAssertionConsumerURL());
                 LoggerUtils.triggerDiagnosticLogEvent(diagnosticLogBuilder);
             }
             return reqValidationResponseDTO;
         } catch (UserStoreException | IdentityException | IOException e) {
             if (LoggerUtils.isDiagnosticLogsEnabled()) {
                 DiagnosticLog.DiagnosticLogBuilder diagnosticLogBuilder = new DiagnosticLog.DiagnosticLogBuilder(
-                        SAML_INBOUND_SERVICE, "saml-logout-processing");
+                        SAML_INBOUND_SERVICE, SAML_LOGOUT_PROCESSING);
                 diagnosticLogBuilder.resultMessage("Error processing SP initiated logout request.")
                         .logDetailLevel(DiagnosticLog.LogDetailLevel.APPLICATION)
                         .resultStatus(DiagnosticLog.ResultStatus.FAILED)
-                        .inputParam("errorMsg", e.getMessage());
+                        .inputParam(LogConstants.InputKeys.ERROR_MESSAGE, e.getMessage());
                 LoggerUtils.triggerDiagnosticLogEvent(diagnosticLogBuilder);
             }
             throw IdentityException.error("Error Processing the Logout Request", e);
@@ -354,10 +358,11 @@ private SAMLSSOReqValidationResponseDTO buildErrorResponse(String id, String sta
             diagnosticLogBuilder.resultMessage("Error while processing the SAML logout request.")
                     .logDetailLevel(DiagnosticLog.LogDetailLevel.APPLICATION)
                     .resultStatus(DiagnosticLog.ResultStatus.FAILED)
-                    .inputParam("issuer", reqValidationResponseDTO.getIssuer())
-                    .inputParam("consumerURL", reqValidationResponseDTO.getAssertionConsumerURL())
-                    .inputParam("errorMessage", statMsg)
-                    .inputParam("statusCode", status);
+                    .inputParam(SAMLSSOConstants.LogConstants.InputKeys.ISSUER, reqValidationResponseDTO.getIssuer())
+                    .inputParam(SAMLSSOConstants.LogConstants.InputKeys.CONSUMER_URL,
+                            reqValidationResponseDTO.getAssertionConsumerURL())
+                    .inputParam(LogConstants.InputKeys.ERROR_MESSAGE, statMsg)
+                    .inputParam("status code", status);
             LoggerUtils.triggerDiagnosticLogEvent(diagnosticLogBuilder);
         }
         return reqValidationResponseDTO;
diff --git a/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/processors/SPInitSSOAuthnRequestProcessor.java b/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/processors/SPInitSSOAuthnRequestProcessor.java
index 70ac07d92..19d54faea 100644
--- a/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/processors/SPInitSSOAuthnRequestProcessor.java
+++ b/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/processors/SPInitSSOAuthnRequestProcessor.java
@@ -24,6 +24,7 @@
 import org.opensaml.saml.saml2.core.Response;
 import org.wso2.carbon.context.PrivilegedCarbonContext;
 import org.wso2.carbon.identity.base.IdentityException;
+import org.wso2.carbon.identity.central.log.mgt.utils.LogConstants;
 import org.wso2.carbon.identity.central.log.mgt.utils.LoggerUtils;
 import org.wso2.carbon.identity.core.model.SAMLSSOServiceProviderDO;
 
@@ -38,14 +39,15 @@
 import org.wso2.carbon.identity.sso.saml.internal.IdentitySAMLSSOServiceComponentHolder;
 import org.wso2.carbon.identity.sso.saml.session.SSOSessionPersistenceManager;
 import org.wso2.carbon.identity.sso.saml.util.SAMLSSOUtil;
-import org.wso2.carbon.registry.core.utils.UUIDGenerator;
 import org.wso2.carbon.utils.DiagnosticLog;
 
 import java.util.ArrayList;
 import java.util.List;
+import java.util.Optional;
 import java.util.UUID;
 
-import static org.wso2.carbon.identity.sso.saml.SAMLSSOConstants.SAML_INBOUND_SERVICE;
+import static org.wso2.carbon.identity.sso.saml.SAMLSSOConstants.LogConstants.ActionIDs.SAML_REQUEST_VALIDATION;
+import static org.wso2.carbon.identity.sso.saml.SAMLSSOConstants.LogConstants.SAML_INBOUND_SERVICE;
 
 public class SPInitSSOAuthnRequestProcessor implements SSOAuthnRequestProcessor{
 
@@ -56,10 +58,11 @@ public SAMLSSORespDTO process(SAMLSSOAuthnReqDTO authnReqDTO, String sessionId,
 
         if (LoggerUtils.isDiagnosticLogsEnabled()) {
             DiagnosticLog.DiagnosticLogBuilder diagnosticLogBuilder = new DiagnosticLog.DiagnosticLogBuilder(
-                    SAML_INBOUND_SERVICE, "saml-request-validation");
+                    SAML_INBOUND_SERVICE, SAML_REQUEST_VALIDATION);
             diagnosticLogBuilder.resultMessage("Validating SP initiated SAML Authentication Request.")
-                    .inputParam("saml request", authnReqDTO.getRequestMessageString())
-                    .inputParam("auth mode", authMode)
+                    .inputParam(SAMLSSOConstants.LogConstants.InputKeys.SAML_REQUEST,
+                            authnReqDTO.getRequestMessageString())
+                    .inputParam(SAMLSSOConstants.LogConstants.InputKeys.AUTH_MODE, authMode)
                     .resultStatus(DiagnosticLog.ResultStatus.SUCCESS)
                     .logDetailLevel(DiagnosticLog.LogDetailLevel.APPLICATION);
             LoggerUtils.triggerDiagnosticLogEvent(diagnosticLogBuilder);
@@ -74,7 +77,7 @@ public SAMLSSORespDTO process(SAMLSSOAuthnReqDTO authnReqDTO, String sessionId,
                                 " Service Provider should be registered in advance.";
                 log.warn(msg);
                 return buildErrorResponse(authnReqDTO.getId(),
-                        SAMLSSOConstants.StatusCodes.REQUESTOR_ERROR, msg, null);
+                        SAMLSSOConstants.StatusCodes.REQUESTOR_ERROR, msg, null, authnReqDTO.getRequestMessageString());
             }
 
             if (isECPReqfromECPEnabledSP(authnReqDTO, serviceProviderConfigs)) {
@@ -82,7 +85,7 @@ public SAMLSSORespDTO process(SAMLSSOAuthnReqDTO authnReqDTO, String sessionId,
                                 "' is not ECP enabled.";
                 log.warn(msg);
                 return buildErrorResponse(authnReqDTO.getId(),
-                        SAMLSSOConstants.StatusCodes.REQUESTOR_ERROR, msg, null);
+                        SAMLSSOConstants.StatusCodes.REQUESTOR_ERROR, msg, null, authnReqDTO.getRequestMessageString());
             }
 
             // reading the service provider configs
@@ -102,7 +105,7 @@ public SAMLSSORespDTO process(SAMLSSOAuthnReqDTO authnReqDTO, String sessionId,
                     statusCodes.add(SAMLSSOConstants.StatusCodes.IDENTITY_PROVIDER_ERROR);
 
                     return buildErrorResponse(authnReqDTO.getId(), statusCodes, msg, authnReqDTO
-                            .getAssertionConsumerURL());
+                            .getAssertionConsumerURL(), authnReqDTO.getRequestMessageString());
                 }
             }
 
@@ -196,13 +199,21 @@ public SAMLSSORespDTO process(SAMLSSOAuthnReqDTO authnReqDTO, String sessionId,
             }
             if (LoggerUtils.isDiagnosticLogsEnabled() && samlssoRespDTO != null) {
                 DiagnosticLog.DiagnosticLogBuilder diagnosticLogBuilder = new DiagnosticLog.DiagnosticLogBuilder(
-                        SAML_INBOUND_SERVICE, "saml-request-validation");
+                        SAML_INBOUND_SERVICE, SAML_REQUEST_VALIDATION);
                 diagnosticLogBuilder.resultMessage("SAML Request validation successful.")
-                        .inputParam("consumer url", samlssoRespDTO.getAssertionConsumerURL())
-                        .inputParam("user id", samlssoRespDTO.getSubject().getUserId())
-                        .inputParam("issuer", authnReqDTO.getIssuer())
+                        .inputParam(SAMLSSOConstants.LogConstants.InputKeys.CONSUMER_URL,
+                                samlssoRespDTO.getAssertionConsumerURL())
+                        .inputParam(SAMLSSOConstants.LogConstants.InputKeys.ISSUER, authnReqDTO.getIssuer())
                         .resultStatus(DiagnosticLog.ResultStatus.SUCCESS)
                         .logDetailLevel(DiagnosticLog.LogDetailLevel.APPLICATION);
+                // Add user details to the diagnostic log.
+                Optional.ofNullable(samlssoRespDTO.getSubject()).ifPresent(subject -> {
+                    String userName = LoggerUtils.isLogMaskingEnable ? LoggerUtils.getMaskedContent(
+                            subject.getUserName()) : subject.getUserName();
+                    diagnosticLogBuilder.inputParam(LogConstants.InputKeys.USER_ID,
+                                    SAMLSSOUtil.getUserId(subject))
+                            .inputParam(LogConstants.InputKeys.USER, userName);
+                });
                 LoggerUtils.triggerDiagnosticLogEvent(diagnosticLogBuilder);
             }
             return samlssoRespDTO;
@@ -215,7 +226,8 @@ public SAMLSSORespDTO process(SAMLSSOAuthnReqDTO authnReqDTO, String sessionId,
 
             SAMLSSORespDTO errorResp =
                     buildErrorResponse(authnReqDTO.getId(), statusCodes,
-                            "Error processing the authentication request.", null);
+                            "Error processing the authentication request.", null,
+                            authnReqDTO.getRequestMessageString());
             errorResp.setLoginPageURL(authnReqDTO.getLoginPageURL());
             errorResp.setAssertionConsumerURL(authnReqDTO.getAssertionConsumerURL());
             return errorResp;
@@ -307,28 +319,16 @@ private void populateServiceProviderConfigs(SAMLSSOServiceProviderDO ssoIdpConfi
      * @return
      * @throws Exception
      */
-    private SAMLSSORespDTO buildErrorResponse(String id, String status,
-                                              String statMsg, String destination) throws Exception {
+    private SAMLSSORespDTO buildErrorResponse(String id, String status, String statMsg, String destination,
+                                              String requestMessageString) throws Exception {
 
         List<String> statusCodeList = new ArrayList<String>();
         statusCodeList.add(status);
-        if (LoggerUtils.isDiagnosticLogsEnabled()) {
-            DiagnosticLog.DiagnosticLogBuilder diagnosticLogBuilder = new DiagnosticLog.DiagnosticLogBuilder(
-                    SAML_INBOUND_SERVICE, "saml-request-validation");
-            diagnosticLogBuilder.logDetailLevel(DiagnosticLog.LogDetailLevel.APPLICATION)
-                    .inputParam("saml request", id)
-                    .inputParam("error states code", status)
-                    .inputParam("error states message", statMsg)
-                    .inputParam("destination", destination)
-                    .resultMessage("An error occurred while processing the SAML request.")
-                    .resultStatus(DiagnosticLog.ResultStatus.FAILED);
-            LoggerUtils.triggerDiagnosticLogEvent(diagnosticLogBuilder);
-        }
-        return buildErrorResponse(id, statusCodeList, statMsg, destination);
+        return buildErrorResponse(id, statusCodeList, statMsg, destination, requestMessageString);
     }
 
-    private SAMLSSORespDTO buildErrorResponse(String id, List<String> statusCodeList,
-                                              String statMsg, String destination) throws Exception {
+    private SAMLSSORespDTO buildErrorResponse(String id, List<String> statusCodeList, String statMsg,
+                                              String destination, String requestMessageString) throws Exception {
 
         SAMLSSORespDTO samlSSORespDTO = new SAMLSSORespDTO();
         ErrorResponseBuilder errRespBuilder = new ErrorResponseBuilder();
@@ -339,9 +339,9 @@ private SAMLSSORespDTO buildErrorResponse(String id, List<String> statusCodeList
         samlSSORespDTO.setSessionEstablished(false);
         if (LoggerUtils.isDiagnosticLogsEnabled()) {
             DiagnosticLog.DiagnosticLogBuilder diagnosticLogBuilder = new DiagnosticLog.DiagnosticLogBuilder(
-                    SAML_INBOUND_SERVICE, "saml-request-validation");
+                    SAML_INBOUND_SERVICE, SAML_REQUEST_VALIDATION);
             diagnosticLogBuilder.logDetailLevel(DiagnosticLog.LogDetailLevel.APPLICATION)
-                    .inputParam("saml request", id)
+                    .inputParam("saml request", requestMessageString)
                     .inputParam("error saml response", encodedResponse)
                     .resultMessage("An error occurred while processing the SAML request.")
                     .resultStatus(DiagnosticLog.ResultStatus.FAILED);
diff --git a/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/servlet/SAMLSSOProviderServlet.java b/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/servlet/SAMLSSOProviderServlet.java
index 6a088720d..48f6740ef 100644
--- a/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/servlet/SAMLSSOProviderServlet.java
+++ b/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/servlet/SAMLSSOProviderServlet.java
@@ -46,6 +46,7 @@
 import org.wso2.carbon.identity.application.mgt.ApplicationManagementService;
 import org.wso2.carbon.identity.base.IdentityConstants;
 import org.wso2.carbon.identity.base.IdentityException;
+import org.wso2.carbon.identity.central.log.mgt.utils.LogConstants;
 import org.wso2.carbon.identity.central.log.mgt.utils.LoggerUtils;
 import org.wso2.carbon.identity.core.ServiceURLBuilder;
 import org.wso2.carbon.identity.core.URLBuilderException;
@@ -114,7 +115,10 @@
 import javax.xml.transform.TransformerException;
 
 import static org.wso2.carbon.identity.application.authentication.framework.util.FrameworkConstants.RequestParams.TENANT_DOMAIN;
-import static org.wso2.carbon.identity.sso.saml.SAMLSSOConstants.SAML_INBOUND_SERVICE;
+import static org.wso2.carbon.identity.sso.saml.SAMLSSOConstants.LogConstants.ActionIDs.HAND_OVER_TO_FRAMEWORK;
+import static org.wso2.carbon.identity.sso.saml.SAMLSSOConstants.LogConstants.ActionIDs.PROCESS_SAML_REQUEST;
+import static org.wso2.carbon.identity.sso.saml.SAMLSSOConstants.LogConstants.ActionIDs.SAML_REQUEST_VALIDATION;
+import static org.wso2.carbon.identity.sso.saml.SAMLSSOConstants.LogConstants.SAML_INBOUND_SERVICE;
 
 /**
  * This is the entry point for authentication process in an SSO scenario. This servlet is registered
@@ -573,16 +577,16 @@ private void sendNotification(String errorResp, String status, String message,
                                   HttpServletResponse resp) throws ServletException, IOException {
 
         DiagnosticLog.DiagnosticLogBuilder diagnosticLogBuilder = new DiagnosticLog.DiagnosticLogBuilder(
-                SAML_INBOUND_SERVICE, "saml-request-send-notification");
+                SAML_INBOUND_SERVICE, SAML_REQUEST_VALIDATION);
         if (LoggerUtils.isDiagnosticLogsEnabled()) {
             diagnosticLogBuilder.resultMessage("An error occurred while processing the SAML request. Prompts user " +
                             "a notification.")
             .logDetailLevel(DiagnosticLog.LogDetailLevel.APPLICATION)
             .resultStatus(DiagnosticLog.ResultStatus.FAILED)
-            .inputParam(SAMLSSOConstants.ASSRTN_CONSUMER_URL, acUrl)
-            .inputParam(SAMLSSOConstants.STATUS, status)
-            .inputParam(SAMLSSOConstants.STATUS_MSG, message)
-            .inputParam(SAMLSSOConstants.SAML_RESP, errorResp);
+            .inputParam(SAMLSSOConstants.LogConstants.InputKeys.ASSERTION_URL, acUrl)
+            .inputParam("status", status)
+            .inputParam("status message", message)
+            .inputParam("error response", errorResp);
         }
         if (isSAMLECPRequest(req)) {
             sendNotificationForECPRequest(resp, errorResp, acUrl);
@@ -635,7 +639,7 @@ private void sendNotification(String errorResp, String status, String message,
             String queryAppendedUrl = FrameworkUtils.appendQueryParamsStringToUrl(redirectURL, queryParams);
             resp.sendRedirect(FrameworkUtils.getRedirectURL(queryAppendedUrl, req));
             if (LoggerUtils.isDiagnosticLogsEnabled()) {
-                diagnosticLogBuilder.inputParam("redirectURL", redirectURL);
+                diagnosticLogBuilder.inputParam(LogConstants.InputKeys.REDIREDCT_URI, redirectURL);
             }
         }
         if (LoggerUtils.isDiagnosticLogsEnabled()) {
@@ -650,11 +654,11 @@ private void handleIdPInitSSO(HttpServletRequest req, HttpServletResponse resp,
 
         if (LoggerUtils.isDiagnosticLogsEnabled()) {
             DiagnosticLog.DiagnosticLogBuilder diagnosticLogBuilder = new DiagnosticLog.DiagnosticLogBuilder(
-                    SAML_INBOUND_SERVICE, "saml-request-handle");
+                    SAML_INBOUND_SERVICE, PROCESS_SAML_REQUEST);
             diagnosticLogBuilder.resultMessage("Handling IdP Initiated SSO request.")
                     .logDetailLevel(DiagnosticLog.LogDetailLevel.APPLICATION)
                     .resultStatus(DiagnosticLog.ResultStatus.SUCCESS)
-                    .inputParam("queryString", queryString);
+                    .inputParam(SAMLSSOConstants.LogConstants.InputKeys.QUERY_STRING, queryString);
             LoggerUtils.triggerDiagnosticLogEvent(diagnosticLogBuilder);
         }
         String rpSessionId = req.getParameter(MultitenantConstants.SSO_AUTH_SESSION_ID);
@@ -779,11 +783,11 @@ private void handleSPInitSSO(HttpServletRequest req, HttpServletResponse resp,
 
         if (LoggerUtils.isDiagnosticLogsEnabled()) {
             DiagnosticLog.DiagnosticLogBuilder diagnosticLogBuilder = new DiagnosticLog.DiagnosticLogBuilder(
-                    SAML_INBOUND_SERVICE, "saml-request-handle");
+                    SAML_INBOUND_SERVICE, PROCESS_SAML_REQUEST);
             diagnosticLogBuilder.resultMessage("Handling SP Initiated SSO request.")
                     .logDetailLevel(DiagnosticLog.LogDetailLevel.APPLICATION)
                     .resultStatus(DiagnosticLog.ResultStatus.SUCCESS)
-                    .inputParam("queryString", queryString);
+                    .inputParam(SAMLSSOConstants.LogConstants.InputKeys.QUERY_STRING, queryString);
             LoggerUtils.triggerDiagnosticLogEvent(diagnosticLogBuilder);
         }
         String rpSessionId = req.getParameter(MultitenantConstants.SSO_AUTH_SESSION_ID);
@@ -1145,9 +1149,11 @@ private void handleAuthenticationReponseFromFramework(HttpServletRequest req, Ht
             diagnosticLogBuilder.resultMessage("Received authentication response from framework")
                     .resultStatus(DiagnosticLog.ResultStatus.SUCCESS)
                     .logDetailLevel(DiagnosticLog.LogDetailLevel.INTERNAL_SYSTEM)
-                    .inputParam("SAMLIssuer", sessionDTO.getIssuer())
-                    .inputParam("authenticatedUser", LoggerUtils.isLogMaskingEnable ? LoggerUtils.getMaskedContent(
-                            sessionDTO.getSubject()) : sessionDTO.getSubject());
+                    .inputParam(SAMLSSOConstants.LogConstants.InputKeys.ISSUER, sessionDTO.getIssuer())
+                    .inputParam(LogConstants.InputKeys.USER, LoggerUtils.isLogMaskingEnable ?
+                            LoggerUtils.getMaskedContent(sessionDTO.getSubject()) : sessionDTO.getSubject())
+                    .inputParam(SAMLSSOConstants.LogConstants.InputKeys.CONSUMER_URL,
+                            sessionDTO.getAssertionConsumerURL());
             LoggerUtils.triggerDiagnosticLogEvent(diagnosticLogBuilder);
         }
         String sessionDataKey = getSessionDataKey(req);
@@ -1722,7 +1728,7 @@ private void sendRequestToFramework(HttpServletRequest request, HttpServletRespo
 
         if (LoggerUtils.isDiagnosticLogsEnabled()) {
             DiagnosticLog.DiagnosticLogBuilder diagnosticLogBuilder = new DiagnosticLog.DiagnosticLogBuilder(
-                    SAML_INBOUND_SERVICE, "hand-over-to-framework");
+                    SAML_INBOUND_SERVICE, HAND_OVER_TO_FRAMEWORK);
             diagnosticLogBuilder.resultMessage("Forward SAML request to framework for user authentication.")
                     .resultStatus(DiagnosticLog.ResultStatus.SUCCESS)
                     .logDetailLevel(DiagnosticLog.LogDetailLevel.INTERNAL_SYSTEM);
diff --git a/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/util/SAMLSSOUtil.java b/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/util/SAMLSSOUtil.java
index d152bb25e..5e5863de4 100644
--- a/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/util/SAMLSSOUtil.java
+++ b/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/util/SAMLSSOUtil.java
@@ -59,8 +59,9 @@
 import org.w3c.dom.ls.LSOutput;
 import org.w3c.dom.ls.LSSerializer;
 import org.wso2.carbon.context.PrivilegedCarbonContext;
-import org.wso2.carbon.context.RegistryType;
 import org.wso2.carbon.core.util.KeyStoreManager;
+import org.wso2.carbon.identity.application.authentication.framework.exception.UserIdNotFoundException;
+import org.wso2.carbon.identity.application.authentication.framework.model.AuthenticatedUser;
 import org.wso2.carbon.identity.application.authentication.framework.util.FrameworkUtils;
 import org.wso2.carbon.identity.application.common.model.ClaimMapping;
 import org.wso2.carbon.identity.application.common.model.FederatedAuthenticatorConfig;
@@ -73,7 +74,6 @@
 import org.wso2.carbon.identity.base.IdentityException;
 import org.wso2.carbon.identity.base.IdentityRuntimeException;
 import org.wso2.carbon.identity.core.IdentityRegistryResources;
-import org.wso2.carbon.identity.core.SAMLSSOServiceProviderManager;
 import org.wso2.carbon.identity.core.ServiceURLBuilder;
 import org.wso2.carbon.identity.core.URLBuilderException;
 import org.wso2.carbon.identity.core.model.SAMLSSOServiceProviderDO;
@@ -111,7 +111,6 @@
 import org.wso2.carbon.identity.sso.saml.validators.SSOAuthnRequestValidator;
 import org.wso2.carbon.idp.mgt.IdentityProviderManagementException;
 import org.wso2.carbon.idp.mgt.IdentityProviderManager;
-import org.wso2.carbon.registry.core.Registry;
 import org.wso2.carbon.registry.core.exceptions.RegistryException;
 import org.wso2.carbon.registry.core.service.RegistryService;
 import org.wso2.carbon.registry.core.service.TenantRegistryLoader;
@@ -144,6 +143,7 @@
 import java.util.Iterator;
 import java.util.List;
 import java.util.Map;
+import java.util.Optional;
 import java.util.Set;
 import java.util.zip.DataFormatException;
 import java.util.zip.Deflater;
@@ -2617,6 +2617,27 @@ public static String resolveIssuerQualifier(QueryParamDTO[] queryParamDTOs, Stri
         }
     }
 
+    /**
+     * Get the user id from the authenticated user.
+     *
+     * @param authenticatedUser AuthenticationContext.
+     * @return User id.
+     */
+    public static Optional<String> getUserId(AuthenticatedUser authenticatedUser) {
+
+        if (authenticatedUser == null) {
+            return Optional.empty();
+        }
+        try {
+            if (authenticatedUser.getUserId() != null) {
+                return Optional.ofNullable(authenticatedUser.getUserId());
+            }
+        } catch (UserIdNotFoundException e) {
+            log.debug("Error while getting the user id from the authenticated user.", e);
+        }
+        return Optional.empty();
+    }
+
     private static String getSPQualifier(QueryParamDTO[] queryParamDTOs) {
 
         for (QueryParamDTO queryParamDTO : queryParamDTOs) {
diff --git a/pom.xml b/pom.xml
index 54aecd71a..3c0be3a4f 100644
--- a/pom.xml
+++ b/pom.xml
@@ -450,10 +450,10 @@
     </modules>
 
     <properties>
-        <carbon.kernel.version>4.9.0</carbon.kernel.version>
+        <carbon.kernel.version>4.9.10</carbon.kernel.version>
         <carbon.kernel.feature.version>4.9.0</carbon.kernel.feature.version>
-        <carbon.identity.framework.version>5.25.247</carbon.identity.framework.version>
-        <carbon.identity.framework.imp.pkg.version.range>[5.25.234, 7.0.0)
+        <carbon.identity.framework.version>5.25.260</carbon.identity.framework.version>
+        <carbon.identity.framework.imp.pkg.version.range>[5.25.260, 7.0.0)
         </carbon.identity.framework.imp.pkg.version.range>
         <carbon.identity.organization.management.core.version>1.0.0</carbon.identity.organization.management.core.version>
 

From bb960ed20aaec5c0818b8c3fd49a177981bb5ed6 Mon Sep 17 00:00:00 2001
From: sahandilshan <sahandilshan222@gmail.com>
Date: Sat, 19 Aug 2023 21:57:14 +0530
Subject: [PATCH 5/7] Fix review suggestions

---
 .../identity/sso/saml/SAMLSSOConstants.java   | 59 ++++++++-----------
 .../IdPInitSSOAuthnRequestProcessor.java      |  6 +-
 .../SPInitLogoutRequestProcessor.java         | 33 ++++++-----
 .../saml/servlet/SAMLSSOProviderServlet.java  | 51 +++++++++++-----
 .../identity/sso/saml/SAMLSSOServiceTest.java |  5 +-
 5 files changed, 86 insertions(+), 68 deletions(-)

diff --git a/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/SAMLSSOConstants.java b/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/SAMLSSOConstants.java
index 8a4795625..2abd36acb 100644
--- a/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/SAMLSSOConstants.java
+++ b/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/SAMLSSOConstants.java
@@ -119,39 +119,6 @@ public class SAMLSSOConstants {
     private SAMLSSOConstants() {
     }
 
-    /**
-     * Constants related to log management.
-     */
-    public static class LogConstants {
-
-        public static final String SAML_INBOUND_SERVICE = "saml-inbound-service";
-
-        /**
-         * Define action IDs for diagnostic logs.
-         */
-        public static class ActionIDs {
-
-            public static final String PROCESS_SAML_LOGOUT = "process-saml-logout";
-            public static final String SAML_REQUEST_VALIDATION = "saml-request-validation";
-            public static final String SAML_LOGOUT_PROCESSING = "saml-logout-processing";
-            public static final String PROCESS_SAML_REQUEST = "process-saml-request";
-            public static final String HAND_OVER_TO_FRAMEWORK = "hand-over-to-framework";
-        }
-
-        /**
-         * Define common and reusable Input keys for diagnostic logs.
-         */
-        public static class InputKeys {
-
-            public static final String SAML_REQUEST = "saml request";
-            public static final String ISSUER = "issuer";
-            public static final String CONSUMER_URL = "consumer url";
-            public static final String AUTH_MODE = "auth mode";
-            public static final String ASSERTION_URL = "assertion url";
-            public static final String QUERY_STRING = "query string";
-        }
-    }
-
 
     public enum QueryParameter {
 
@@ -241,6 +208,32 @@ public static class LogConstants {
 
         public static final String CREATE_SAML_APPLICATION = "CREATE SAML APPLICATION";
         public static final String DELETE_SAML_APPLICATION = "DELETE SAML APPLICATION";
+        public static final String SAML_INBOUND_SERVICE = "saml-inbound-service";
+
+        /**
+         * Define action IDs for diagnostic logs.
+         */
+        public static class ActionIDs {
+
+            public static final String PROCESS_SAML_LOGOUT = "process-saml-logout";
+            public static final String SAML_REQUEST_VALIDATION = "saml-request-validation";
+            public static final String SAML_LOGOUT_PROCESSING = "saml-logout-processing";
+            public static final String PROCESS_SAML_REQUEST = "process-saml-request";
+            public static final String HAND_OVER_TO_FRAMEWORK = "hand-over-to-framework";
+        }
+
+        /**
+         * Define common and reusable Input keys for diagnostic logs.
+         */
+        public static class InputKeys {
+
+            public static final String SAML_REQUEST = "saml request";
+            public static final String ISSUER = "issuer";
+            public static final String CONSUMER_URL = "consumer url";
+            public static final String AUTH_MODE = "auth mode";
+            public static final String ASSERTION_URL = "assertion url";
+            public static final String QUERY_STRING = "query string";
+        }
     }
 
     public static class SingleLogoutCodes {
diff --git a/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/processors/IdPInitSSOAuthnRequestProcessor.java b/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/processors/IdPInitSSOAuthnRequestProcessor.java
index 100e99b88..c3310bff7 100644
--- a/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/processors/IdPInitSSOAuthnRequestProcessor.java
+++ b/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/processors/IdPInitSSOAuthnRequestProcessor.java
@@ -57,7 +57,7 @@ public SAMLSSORespDTO process(SAMLSSOAuthnReqDTO authnReqDTO, String sessionId,
         if (LoggerUtils.isDiagnosticLogsEnabled()) {
             DiagnosticLog.DiagnosticLogBuilder diagnosticLogBuilder = new DiagnosticLog.DiagnosticLogBuilder(
                     SAML_INBOUND_SERVICE, SAML_REQUEST_VALIDATION);
-            diagnosticLogBuilder.resultMessage("Validating SP initiated SAML Authentication Request.")
+            diagnosticLogBuilder.resultMessage("Validating IDP initiated SAML Authentication Request.")
                     .inputParam(SAML_REQUEST, authnReqDTO.getRequestMessageString())
                     .inputParam("auth mode", authMode)
                     .resultStatus(DiagnosticLog.ResultStatus.SUCCESS)
@@ -219,8 +219,8 @@ public SAMLSSORespDTO process(SAMLSSOAuthnReqDTO authnReqDTO, String sessionId,
                 DiagnosticLog.DiagnosticLogBuilder diagnosticLogBuilder = new DiagnosticLog.DiagnosticLogBuilder(
                         SAML_INBOUND_SERVICE, SAML_REQUEST_VALIDATION);
                 diagnosticLogBuilder.resultMessage("SAML Request validation successful.")
-                        .inputParam("consumer url", samlssoRespDTO.getAssertionConsumerURL())
-                        .inputParam(LogConstants.InputKeys.USER_ID, samlssoRespDTO.getSubject().getUserId())
+                        .inputParam(SAMLSSOConstants.LogConstants.InputKeys.CONSUMER_URL,
+                                samlssoRespDTO.getAssertionConsumerURL())
                         .inputParam(SAMLSSOConstants.LogConstants.InputKeys.ISSUER, authnReqDTO.getIssuer())
                         .resultStatus(DiagnosticLog.ResultStatus.SUCCESS)
                         .logDetailLevel(DiagnosticLog.LogDetailLevel.APPLICATION);
diff --git a/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/processors/SPInitLogoutRequestProcessor.java b/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/processors/SPInitLogoutRequestProcessor.java
index 858aff6fd..8aad9c9d7 100644
--- a/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/processors/SPInitLogoutRequestProcessor.java
+++ b/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/processors/SPInitLogoutRequestProcessor.java
@@ -20,6 +20,7 @@
 import org.apache.commons.lang.StringUtils;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
+import org.opensaml.saml.saml2.core.Issuer;
 import org.opensaml.saml.saml2.core.LogoutRequest;
 import org.opensaml.saml.saml2.core.LogoutResponse;
 import org.wso2.carbon.context.PrivilegedCarbonContext;
@@ -49,6 +50,7 @@
 import java.util.ArrayList;
 import java.util.List;
 import java.util.Map;
+import java.util.Optional;
 import java.util.function.Function;
 
 import static org.wso2.carbon.identity.sso.saml.SAMLSSOConstants.LogConstants.ActionIDs.SAML_LOGOUT_PROCESSING;
@@ -102,9 +104,10 @@ public SAMLSSOReqValidationResponseDTO process(LogoutRequest logoutRequest, Stri
                     SAML_INBOUND_SERVICE, SAML_LOGOUT_PROCESSING);
             diagnosticLogBuilder.resultMessage("Processing SP initiated logout request.")
                     .logDetailLevel(DiagnosticLog.LogDetailLevel.APPLICATION)
-                    .resultStatus(DiagnosticLog.ResultStatus.SUCCESS)
-                    .inputParam(SAMLSSOConstants.LogConstants.InputKeys.ISSUER, logoutRequest.getIssuer().getValue())
-                    .inputParam("reason", logoutRequest.getReason());
+                    .resultStatus(DiagnosticLog.ResultStatus.SUCCESS);
+            Optional.ofNullable(logoutRequest).map(LogoutRequest::getIssuer).map(Issuer::getValue)
+                    .ifPresent(issuerValue -> diagnosticLogBuilder.inputParam(
+                            SAMLSSOConstants.LogConstants.InputKeys.ISSUER, issuerValue));
             LoggerUtils.triggerDiagnosticLogEvent(diagnosticLogBuilder);
         }
         try {
@@ -126,21 +129,20 @@ public SAMLSSOReqValidationResponseDTO process(LogoutRequest logoutRequest, Stri
             for (Function<LogoutRequest, ValidationResult<SAMLSSOReqValidationResponseDTO>> validator :
                     logoutRequestValidators) {
                 ValidationResult<SAMLSSOReqValidationResponseDTO> validationResult = validator.apply(logoutRequest);
-                if (LoggerUtils.isDiagnosticLogsEnabled()) {
-                    DiagnosticLog.DiagnosticLogBuilder diagnosticLogBuilder = new DiagnosticLog.DiagnosticLogBuilder(
-                            SAML_INBOUND_SERVICE, SAML_LOGOUT_PROCESSING);
-                    diagnosticLogBuilder.resultMessage("Validating logout request.")
-                            .logDetailLevel(DiagnosticLog.LogDetailLevel.INTERNAL_SYSTEM)
-                            .inputParam(SAMLSSOConstants.LogConstants.InputKeys.ISSUER,
-                                    logoutRequest.getIssuer().getValue())
-                            .inputParam("validator name", validator.getClass().getName())
-                            .inputParam("validation result", validationResult.getValidationStatus());
-                    LoggerUtils.triggerDiagnosticLogEvent(diagnosticLogBuilder);
-                }
                 if (!validationResult.getValidationStatus()) {
                     return validationResult.getValue();
                 }
             }
+            if (LoggerUtils.isDiagnosticLogsEnabled()) {
+                DiagnosticLog.DiagnosticLogBuilder diagnosticLogBuilder = new DiagnosticLog.DiagnosticLogBuilder(
+                        SAML_INBOUND_SERVICE, SAML_LOGOUT_PROCESSING);
+                diagnosticLogBuilder.resultMessage("Logout request validation successful.")
+                        .logDetailLevel(DiagnosticLog.LogDetailLevel.INTERNAL_SYSTEM);
+                Optional.ofNullable(logoutRequest).flatMap(request -> Optional.ofNullable(request.getIssuer()))
+                        .ifPresent(issuer -> diagnosticLogBuilder.inputParam(
+                                SAMLSSOConstants.LogConstants.InputKeys.ISSUER, issuer.getValue()));
+                LoggerUtils.triggerDiagnosticLogEvent(diagnosticLogBuilder);
+            }
 
             // Validate whether we have principle session.
             ValidationResult<SAMLSSOReqValidationResponseDTO> validationResult =
@@ -222,7 +224,8 @@ public SAMLSSOReqValidationResponseDTO process(LogoutRequest logoutRequest, Stri
                 diagnosticLogBuilder.resultMessage("Successfully processed SP initiated logout request.")
                         .logDetailLevel(DiagnosticLog.LogDetailLevel.APPLICATION)
                         .resultStatus(DiagnosticLog.ResultStatus.SUCCESS)
-                        .inputParam(SAMLSSOConstants.LogConstants.InputKeys.ISSUER, reqValidationResponseDTO.getIssuer())
+                        .inputParam(SAMLSSOConstants.LogConstants.InputKeys.ISSUER,
+                                reqValidationResponseDTO.getIssuer())
                         .inputParam(SAMLSSOConstants.LogConstants.InputKeys.CONSUMER_URL,
                                 reqValidationResponseDTO.getAssertionConsumerURL());
                 LoggerUtils.triggerDiagnosticLogEvent(diagnosticLogBuilder);
diff --git a/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/servlet/SAMLSSOProviderServlet.java b/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/servlet/SAMLSSOProviderServlet.java
index 48f6740ef..408d9081d 100644
--- a/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/servlet/SAMLSSOProviderServlet.java
+++ b/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/servlet/SAMLSSOProviderServlet.java
@@ -652,13 +652,17 @@ private void handleIdPInitSSO(HttpServletRequest req, HttpServletResponse resp,
                                   boolean isPost, boolean isLogout) throws UserStoreException, IdentityException,
                                                                       IOException, ServletException {
 
+        DiagnosticLog.DiagnosticLogBuilder diagnosticLogBuilder = null;
         if (LoggerUtils.isDiagnosticLogsEnabled()) {
-            DiagnosticLog.DiagnosticLogBuilder diagnosticLogBuilder = new DiagnosticLog.DiagnosticLogBuilder(
-                    SAML_INBOUND_SERVICE, PROCESS_SAML_REQUEST);
-            diagnosticLogBuilder.resultMessage("Handling IdP Initiated SSO request.")
-                    .logDetailLevel(DiagnosticLog.LogDetailLevel.APPLICATION)
+            diagnosticLogBuilder = new DiagnosticLog.DiagnosticLogBuilder(SAML_INBOUND_SERVICE, PROCESS_SAML_REQUEST);
+            diagnosticLogBuilder.logDetailLevel(DiagnosticLog.LogDetailLevel.APPLICATION)
                     .resultStatus(DiagnosticLog.ResultStatus.SUCCESS)
                     .inputParam(SAMLSSOConstants.LogConstants.InputKeys.QUERY_STRING, queryString);
+            if (isLogout) {
+                diagnosticLogBuilder.resultMessage("Handling IdP Initiated SLO request.");
+            } else {
+                diagnosticLogBuilder.resultMessage("Handling IdP Initiated SSO request.");
+            }
             LoggerUtils.triggerDiagnosticLogEvent(diagnosticLogBuilder);
         }
         String rpSessionId = req.getParameter(MultitenantConstants.SSO_AUTH_SESSION_ID);
@@ -781,14 +785,13 @@ private void handleSPInitSSO(HttpServletRequest req, HttpServletResponse resp,
                                  String samlRequest, String sessionId, boolean isPost)
             throws UserStoreException, IdentityException, IOException, ServletException {
 
+        DiagnosticLog.DiagnosticLogBuilder diagnosticLogBuilder = null;
         if (LoggerUtils.isDiagnosticLogsEnabled()) {
-            DiagnosticLog.DiagnosticLogBuilder diagnosticLogBuilder = new DiagnosticLog.DiagnosticLogBuilder(
+            diagnosticLogBuilder = new DiagnosticLog.DiagnosticLogBuilder(
                     SAML_INBOUND_SERVICE, PROCESS_SAML_REQUEST);
-            diagnosticLogBuilder.resultMessage("Handling SP Initiated SSO request.")
-                    .logDetailLevel(DiagnosticLog.LogDetailLevel.APPLICATION)
+            diagnosticLogBuilder.logDetailLevel(DiagnosticLog.LogDetailLevel.APPLICATION)
                     .resultStatus(DiagnosticLog.ResultStatus.SUCCESS)
                     .inputParam(SAMLSSOConstants.LogConstants.InputKeys.QUERY_STRING, queryString);
-            LoggerUtils.triggerDiagnosticLogEvent(diagnosticLogBuilder);
         }
         String rpSessionId = req.getParameter(MultitenantConstants.SSO_AUTH_SESSION_ID);
         SAMLSSOService samlSSOService = new SAMLSSOService();
@@ -799,6 +802,10 @@ private void handleSPInitSSO(HttpServletRequest req, HttpServletResponse resp,
         setSPAttributeToRequest(req, signInRespDTO.getIssuer(), SAMLSSOUtil.getTenantDomainFromThreadLocal());
 
         if (!signInRespDTO.isLogOutReq()) { // an <AuthnRequest> received
+            if (LoggerUtils.isDiagnosticLogsEnabled() && diagnosticLogBuilder != null) {
+                diagnosticLogBuilder.resultMessage("Handling SP Initiated SSO request.");
+                LoggerUtils.triggerDiagnosticLogEvent(diagnosticLogBuilder);
+            }
             if (signInRespDTO.isValid()) {
                 sendToFrameworkForAuthentication(req, resp, signInRespDTO, relayState, isPost);
             } else {
@@ -813,6 +820,10 @@ private void handleSPInitSSO(HttpServletRequest req, HttpServletResponse resp,
                         signInRespDTO.getAssertionConsumerURL(), req, resp);
             }
         } else { // a <LogoutRequest> received
+            if (LoggerUtils.isDiagnosticLogsEnabled() && diagnosticLogBuilder != null) {
+                diagnosticLogBuilder.resultMessage("Handling SP Initiated SLO request.");
+                LoggerUtils.triggerDiagnosticLogEvent(diagnosticLogBuilder);
+            }
             if (signInRespDTO.isValid()) {
                 sendToFrameworkForLogout(req, resp, signInRespDTO, relayState, sessionId, false, isPost);
             } else {
@@ -1150,10 +1161,10 @@ private void handleAuthenticationReponseFromFramework(HttpServletRequest req, Ht
                     .resultStatus(DiagnosticLog.ResultStatus.SUCCESS)
                     .logDetailLevel(DiagnosticLog.LogDetailLevel.INTERNAL_SYSTEM)
                     .inputParam(SAMLSSOConstants.LogConstants.InputKeys.ISSUER, sessionDTO.getIssuer())
-                    .inputParam(LogConstants.InputKeys.USER, LoggerUtils.isLogMaskingEnable ?
-                            LoggerUtils.getMaskedContent(sessionDTO.getSubject()) : sessionDTO.getSubject())
                     .inputParam(SAMLSSOConstants.LogConstants.InputKeys.CONSUMER_URL,
-                            sessionDTO.getAssertionConsumerURL());
+                            sessionDTO.getAssertionConsumerURL())
+                    .inputParam(LogConstants.InputKeys.USER, LoggerUtils.isLogMaskingEnable ?
+                            LoggerUtils.getMaskedContent(sessionDTO.getSubject()) : sessionDTO.getSubject());
             LoggerUtils.triggerDiagnosticLogEvent(diagnosticLogBuilder);
         }
         String sessionDataKey = getSessionDataKey(req);
@@ -1721,11 +1732,6 @@ private QueryParamDTO[] getQueryParams(HttpServletRequest request) {
     private void sendRequestToFramework(HttpServletRequest request, HttpServletResponse response)
             throws ServletException, IOException {
 
-        CommonAuthenticationHandler commonAuthenticationHandler = new CommonAuthenticationHandler();
-
-        CommonAuthResponseWrapper responseWrapper = new CommonAuthResponseWrapper(response);
-        commonAuthenticationHandler.doGet(request, responseWrapper);
-
         if (LoggerUtils.isDiagnosticLogsEnabled()) {
             DiagnosticLog.DiagnosticLogBuilder diagnosticLogBuilder = new DiagnosticLog.DiagnosticLogBuilder(
                     SAML_INBOUND_SERVICE, HAND_OVER_TO_FRAMEWORK);
@@ -1734,6 +1740,11 @@ private void sendRequestToFramework(HttpServletRequest request, HttpServletRespo
                     .logDetailLevel(DiagnosticLog.LogDetailLevel.INTERNAL_SYSTEM);
             LoggerUtils.triggerDiagnosticLogEvent(diagnosticLogBuilder);
         }
+        CommonAuthenticationHandler commonAuthenticationHandler = new CommonAuthenticationHandler();
+
+        CommonAuthResponseWrapper responseWrapper = new CommonAuthResponseWrapper(response);
+        commonAuthenticationHandler.doGet(request, responseWrapper);
+
         Object object = request.getAttribute(FrameworkConstants.RequestParams.FLOW_STATUS);
         if (object != null) {
             AuthenticatorFlowStatus status = (AuthenticatorFlowStatus) object;
@@ -1770,6 +1781,14 @@ private void sendRequestToFramework(HttpServletRequest request, HttpServletRespo
             String type)
             throws ServletException, IOException {
 
+        if (LoggerUtils.isDiagnosticLogsEnabled()) {
+            DiagnosticLog.DiagnosticLogBuilder diagnosticLogBuilder = new DiagnosticLog.DiagnosticLogBuilder(
+                    SAML_INBOUND_SERVICE, HAND_OVER_TO_FRAMEWORK);
+            diagnosticLogBuilder.resultMessage("Call authentication framework directly via API.")
+                    .resultStatus(DiagnosticLog.ResultStatus.SUCCESS)
+                    .logDetailLevel(DiagnosticLog.LogDetailLevel.INTERNAL_SYSTEM);
+            LoggerUtils.triggerDiagnosticLogEvent(diagnosticLogBuilder);
+        }
         CommonAuthenticationHandler commonAuthenticationHandler = new CommonAuthenticationHandler();
 
         CommonAuthRequestWrapper requestWrapper = new CommonAuthRequestWrapper(request);
diff --git a/components/org.wso2.carbon.identity.sso.saml/src/test/java/org/wso2/carbon/identity/sso/saml/SAMLSSOServiceTest.java b/components/org.wso2.carbon.identity.sso.saml/src/test/java/org/wso2/carbon/identity/sso/saml/SAMLSSOServiceTest.java
index eea19d3c3..29a385df4 100644
--- a/components/org.wso2.carbon.identity.sso.saml/src/test/java/org/wso2/carbon/identity/sso/saml/SAMLSSOServiceTest.java
+++ b/components/org.wso2.carbon.identity.sso.saml/src/test/java/org/wso2/carbon/identity/sso/saml/SAMLSSOServiceTest.java
@@ -29,6 +29,7 @@
 import org.testng.annotations.Test;
 import org.wso2.carbon.identity.base.IdentityConstants;
 import org.wso2.carbon.identity.base.IdentityException;
+import org.wso2.carbon.identity.central.log.mgt.utils.LoggerUtils;
 import org.wso2.carbon.identity.core.model.SAMLSSOServiceProviderDO;
 import org.wso2.carbon.identity.core.util.IdentityUtil;
 import org.wso2.carbon.identity.sso.saml.dto.QueryParamDTO;
@@ -63,7 +64,7 @@
  * Unit Tests for SAMLSSOService.
  */
 @PrepareForTest({IdentityUtil.class, SAMLSSOUtil.class, SAMLSSOReqValidationResponseDTO.class,
-    SSOSessionPersistenceManager.class})
+    SSOSessionPersistenceManager.class, LoggerUtils.class})
 public class SAMLSSOServiceTest extends PowerMockTestCase {
 
     @DataProvider(name = "testAuthenticate")
@@ -330,6 +331,8 @@ public void testDoSingleLogout() throws Exception {
         mockStatic(SSOSessionPersistenceManager.class);
         when(SSOSessionPersistenceManager.getPersistenceManager()).thenReturn(ssoSessionPersistenceManager);
         when(ssoSessionPersistenceManager.getSessionIndexFromTokenId(anyString(), anyString())).thenReturn("theSessionIndex");
+        mockStatic(LoggerUtils.class);
+        when(LoggerUtils.isDiagnosticLogsEnabled()).thenReturn(true);
 
         SAMLSSOService samlssoService = new SAMLSSOService();
         assertTrue(samlssoService.doSingleLogout("aSeesionID").isLogOutReq(), " Should return" +

From 3c6141a0af36d6b102042043b7b427ca416166cc Mon Sep 17 00:00:00 2001
From: sahandilshan <sahandilshan222@gmail.com>
Date: Mon, 21 Aug 2023 13:31:31 +0530
Subject: [PATCH 6/7] Add missing error diagnostic logs

---
 .../SPInitLogoutRequestProcessor.java         | 30 ++++++++++++++++++-
 1 file changed, 29 insertions(+), 1 deletion(-)

diff --git a/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/processors/SPInitLogoutRequestProcessor.java b/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/processors/SPInitLogoutRequestProcessor.java
index 8aad9c9d7..19352a12d 100644
--- a/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/processors/SPInitLogoutRequestProcessor.java
+++ b/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/processors/SPInitLogoutRequestProcessor.java
@@ -258,6 +258,16 @@ private void setX509Certificate(String issuer, SAMLSSOServiceProviderDO logoutRe
                     "certificate for file based SAML service provider with the issuer name '%s'. " +
                     "The service provider will NOT be loaded.", issuer);
             log.error(errorMessage, e);
+            if (LoggerUtils.isDiagnosticLogsEnabled()) {
+                LoggerUtils.triggerDiagnosticLogEvent(new DiagnosticLog.DiagnosticLogBuilder(
+                        SAML_INBOUND_SERVICE, SAML_LOGOUT_PROCESSING)
+                        .resultMessage("An error occurred while retrieving the application certificate for file " +
+                                "based SAML service provider. The service provider will NOT be loaded.")
+                        .inputParam(SAMLSSOConstants.LogConstants.InputKeys.ISSUER, issuer)
+                        .inputParam(LogConstants.InputKeys.ERROR_MESSAGE, e.getMessage())
+                        .logDetailLevel(DiagnosticLog.LogDetailLevel.APPLICATION)
+                        .resultStatus(DiagnosticLog.ResultStatus.FAILED));
+            }
         }
     }
 
@@ -293,11 +303,29 @@ private SAMLSSOReqValidationResponseDTO buildErrorResponse(String id, String sta
                 destination, false, null, responseSigningAlgorithmUri, responseDigestAlgorithmUri);
         reqValidationResponseDTO.setLogOutReq(true);
         reqValidationResponseDTO.setValid(false);
+        DiagnosticLog.DiagnosticLogBuilder diagnosticLogBuilder = null;
+        if (LoggerUtils.isDiagnosticLogsEnabled()) {
+            diagnosticLogBuilder = new DiagnosticLog.DiagnosticLogBuilder(SAML_INBOUND_SERVICE, SAML_LOGOUT_PROCESSING)
+                    .inputParam("status code", status)
+                    .inputParam("destination", destination)
+                    .resultMessage(statMsg)
+                    .logDetailLevel(DiagnosticLog.LogDetailLevel.APPLICATION)
+                    .resultStatus(DiagnosticLog.ResultStatus.FAILED);
+        }
         try {
             reqValidationResponseDTO.setResponse(SAMLSSOUtil.compressResponse(SAMLSSOUtil.marshall(logoutResp)));
         } catch (IOException e) {
+            if (diagnosticLogBuilder != null) {
+                // diagnosticLogBuilder is null when LoggerUtils.isDiagnosticLogsEnabled() is false.
+                diagnosticLogBuilder.resultMessage("Error while creating logout response.")
+                        .inputParam(LogConstants.InputKeys.ERROR_MESSAGE, e.getMessage());
+                LoggerUtils.triggerDiagnosticLogEvent(diagnosticLogBuilder);
+            }
             throw IdentityException.error("Error while creating logout response", e);
         }
+        if (LoggerUtils.isDiagnosticLogsEnabled()) {
+            LoggerUtils.triggerDiagnosticLogEvent(diagnosticLogBuilder);
+        }
         return reqValidationResponseDTO;
     }
 
@@ -357,7 +385,7 @@ private SAMLSSOReqValidationResponseDTO buildErrorResponse(String id, String sta
         }
         if (LoggerUtils.isDiagnosticLogsEnabled()) {
             DiagnosticLog.DiagnosticLogBuilder diagnosticLogBuilder = new DiagnosticLog.DiagnosticLogBuilder(
-                    SAML_INBOUND_SERVICE, "saml-logout-processing");
+                    SAML_INBOUND_SERVICE, SAML_LOGOUT_PROCESSING);
             diagnosticLogBuilder.resultMessage("Error while processing the SAML logout request.")
                     .logDetailLevel(DiagnosticLog.LogDetailLevel.APPLICATION)
                     .resultStatus(DiagnosticLog.ResultStatus.FAILED)

From a6157c3e54fef6f1636decb1e6233d1d6ae2bd5d Mon Sep 17 00:00:00 2001
From: sahandilshan <sahandilshan222@gmail.com>
Date: Mon, 21 Aug 2023 20:41:52 +0530
Subject: [PATCH 7/7] Make the actionIDs consistent

---
 .../identity/sso/saml/SAMLSSOConstants.java      |  3 +--
 .../IdPInitSSOAuthnRequestProcessor.java         |  8 ++++----
 .../processors/SPInitLogoutRequestProcessor.java | 16 ++++++++--------
 .../SPInitSSOAuthnRequestProcessor.java          |  8 ++++----
 .../sso/saml/servlet/SAMLSSOProviderServlet.java |  4 ++--
 5 files changed, 19 insertions(+), 20 deletions(-)

diff --git a/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/SAMLSSOConstants.java b/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/SAMLSSOConstants.java
index 2abd36acb..3ce5c9e0e 100644
--- a/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/SAMLSSOConstants.java
+++ b/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/SAMLSSOConstants.java
@@ -216,8 +216,7 @@ public static class LogConstants {
         public static class ActionIDs {
 
             public static final String PROCESS_SAML_LOGOUT = "process-saml-logout";
-            public static final String SAML_REQUEST_VALIDATION = "saml-request-validation";
-            public static final String SAML_LOGOUT_PROCESSING = "saml-logout-processing";
+            public static final String VALIDATE_SAML_REQUEST = "validate-saml-request";
             public static final String PROCESS_SAML_REQUEST = "process-saml-request";
             public static final String HAND_OVER_TO_FRAMEWORK = "hand-over-to-framework";
         }
diff --git a/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/processors/IdPInitSSOAuthnRequestProcessor.java b/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/processors/IdPInitSSOAuthnRequestProcessor.java
index c3310bff7..62e06ba44 100644
--- a/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/processors/IdPInitSSOAuthnRequestProcessor.java
+++ b/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/processors/IdPInitSSOAuthnRequestProcessor.java
@@ -43,7 +43,7 @@
 import java.util.Optional;
 import java.util.UUID;
 
-import static org.wso2.carbon.identity.sso.saml.SAMLSSOConstants.LogConstants.ActionIDs.SAML_REQUEST_VALIDATION;
+import static org.wso2.carbon.identity.sso.saml.SAMLSSOConstants.LogConstants.ActionIDs.VALIDATE_SAML_REQUEST;
 import static org.wso2.carbon.identity.sso.saml.SAMLSSOConstants.LogConstants.InputKeys.SAML_REQUEST;
 import static org.wso2.carbon.identity.sso.saml.SAMLSSOConstants.LogConstants.SAML_INBOUND_SERVICE;
 
@@ -56,7 +56,7 @@ public SAMLSSORespDTO process(SAMLSSOAuthnReqDTO authnReqDTO, String sessionId,
 
         if (LoggerUtils.isDiagnosticLogsEnabled()) {
             DiagnosticLog.DiagnosticLogBuilder diagnosticLogBuilder = new DiagnosticLog.DiagnosticLogBuilder(
-                    SAML_INBOUND_SERVICE, SAML_REQUEST_VALIDATION);
+                    SAML_INBOUND_SERVICE, VALIDATE_SAML_REQUEST);
             diagnosticLogBuilder.resultMessage("Validating IDP initiated SAML Authentication Request.")
                     .inputParam(SAML_REQUEST, authnReqDTO.getRequestMessageString())
                     .inputParam("auth mode", authMode)
@@ -217,7 +217,7 @@ public SAMLSSORespDTO process(SAMLSSOAuthnReqDTO authnReqDTO, String sessionId,
             }
             if (LoggerUtils.isDiagnosticLogsEnabled()) {
                 DiagnosticLog.DiagnosticLogBuilder diagnosticLogBuilder = new DiagnosticLog.DiagnosticLogBuilder(
-                        SAML_INBOUND_SERVICE, SAML_REQUEST_VALIDATION);
+                        SAML_INBOUND_SERVICE, VALIDATE_SAML_REQUEST);
                 diagnosticLogBuilder.resultMessage("SAML Request validation successful.")
                         .inputParam(SAMLSSOConstants.LogConstants.InputKeys.CONSUMER_URL,
                                 samlssoRespDTO.getAssertionConsumerURL())
@@ -351,7 +351,7 @@ private SAMLSSORespDTO buildErrorResponse(String id, List<String> statusCodeList
         samlSSORespDTO.setSessionEstablished(false);
         if (LoggerUtils.isDiagnosticLogsEnabled()) {
             DiagnosticLog.DiagnosticLogBuilder diagnosticLogBuilder = new DiagnosticLog.DiagnosticLogBuilder(
-                    SAML_INBOUND_SERVICE, SAML_REQUEST_VALIDATION);
+                    SAML_INBOUND_SERVICE, VALIDATE_SAML_REQUEST);
             diagnosticLogBuilder.logDetailLevel(DiagnosticLog.LogDetailLevel.APPLICATION)
                     .inputParam(SAML_REQUEST, id)
                     .inputParam("error saml response", encodedResponse)
diff --git a/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/processors/SPInitLogoutRequestProcessor.java b/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/processors/SPInitLogoutRequestProcessor.java
index 19352a12d..7acff956f 100644
--- a/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/processors/SPInitLogoutRequestProcessor.java
+++ b/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/processors/SPInitLogoutRequestProcessor.java
@@ -53,7 +53,7 @@
 import java.util.Optional;
 import java.util.function.Function;
 
-import static org.wso2.carbon.identity.sso.saml.SAMLSSOConstants.LogConstants.ActionIDs.SAML_LOGOUT_PROCESSING;
+import static org.wso2.carbon.identity.sso.saml.SAMLSSOConstants.LogConstants.ActionIDs.PROCESS_SAML_LOGOUT;
 import static org.wso2.carbon.identity.sso.saml.SAMLSSOConstants.LogConstants.SAML_INBOUND_SERVICE;
 
 /**
@@ -101,7 +101,7 @@ public SAMLSSOReqValidationResponseDTO process(LogoutRequest logoutRequest, Stri
         reqValidationResponseDTO.setLogOutReq(true);
         if (LoggerUtils.isDiagnosticLogsEnabled()) {
             DiagnosticLog.DiagnosticLogBuilder diagnosticLogBuilder = new DiagnosticLog.DiagnosticLogBuilder(
-                    SAML_INBOUND_SERVICE, SAML_LOGOUT_PROCESSING);
+                    SAML_INBOUND_SERVICE, PROCESS_SAML_LOGOUT);
             diagnosticLogBuilder.resultMessage("Processing SP initiated logout request.")
                     .logDetailLevel(DiagnosticLog.LogDetailLevel.APPLICATION)
                     .resultStatus(DiagnosticLog.ResultStatus.SUCCESS);
@@ -135,7 +135,7 @@ public SAMLSSOReqValidationResponseDTO process(LogoutRequest logoutRequest, Stri
             }
             if (LoggerUtils.isDiagnosticLogsEnabled()) {
                 DiagnosticLog.DiagnosticLogBuilder diagnosticLogBuilder = new DiagnosticLog.DiagnosticLogBuilder(
-                        SAML_INBOUND_SERVICE, SAML_LOGOUT_PROCESSING);
+                        SAML_INBOUND_SERVICE, PROCESS_SAML_LOGOUT);
                 diagnosticLogBuilder.resultMessage("Logout request validation successful.")
                         .logDetailLevel(DiagnosticLog.LogDetailLevel.INTERNAL_SYSTEM);
                 Optional.ofNullable(logoutRequest).flatMap(request -> Optional.ofNullable(request.getIssuer()))
@@ -220,7 +220,7 @@ public SAMLSSOReqValidationResponseDTO process(LogoutRequest logoutRequest, Stri
 
             if (LoggerUtils.isDiagnosticLogsEnabled()) {
                 DiagnosticLog.DiagnosticLogBuilder diagnosticLogBuilder = new DiagnosticLog.DiagnosticLogBuilder(
-                        SAML_INBOUND_SERVICE, SAML_LOGOUT_PROCESSING);
+                        SAML_INBOUND_SERVICE, PROCESS_SAML_LOGOUT);
                 diagnosticLogBuilder.resultMessage("Successfully processed SP initiated logout request.")
                         .logDetailLevel(DiagnosticLog.LogDetailLevel.APPLICATION)
                         .resultStatus(DiagnosticLog.ResultStatus.SUCCESS)
@@ -234,7 +234,7 @@ public SAMLSSOReqValidationResponseDTO process(LogoutRequest logoutRequest, Stri
         } catch (UserStoreException | IdentityException | IOException e) {
             if (LoggerUtils.isDiagnosticLogsEnabled()) {
                 DiagnosticLog.DiagnosticLogBuilder diagnosticLogBuilder = new DiagnosticLog.DiagnosticLogBuilder(
-                        SAML_INBOUND_SERVICE, SAML_LOGOUT_PROCESSING);
+                        SAML_INBOUND_SERVICE, PROCESS_SAML_LOGOUT);
                 diagnosticLogBuilder.resultMessage("Error processing SP initiated logout request.")
                         .logDetailLevel(DiagnosticLog.LogDetailLevel.APPLICATION)
                         .resultStatus(DiagnosticLog.ResultStatus.FAILED)
@@ -260,7 +260,7 @@ private void setX509Certificate(String issuer, SAMLSSOServiceProviderDO logoutRe
             log.error(errorMessage, e);
             if (LoggerUtils.isDiagnosticLogsEnabled()) {
                 LoggerUtils.triggerDiagnosticLogEvent(new DiagnosticLog.DiagnosticLogBuilder(
-                        SAML_INBOUND_SERVICE, SAML_LOGOUT_PROCESSING)
+                        SAML_INBOUND_SERVICE, PROCESS_SAML_LOGOUT)
                         .resultMessage("An error occurred while retrieving the application certificate for file " +
                                 "based SAML service provider. The service provider will NOT be loaded.")
                         .inputParam(SAMLSSOConstants.LogConstants.InputKeys.ISSUER, issuer)
@@ -305,7 +305,7 @@ private SAMLSSOReqValidationResponseDTO buildErrorResponse(String id, String sta
         reqValidationResponseDTO.setValid(false);
         DiagnosticLog.DiagnosticLogBuilder diagnosticLogBuilder = null;
         if (LoggerUtils.isDiagnosticLogsEnabled()) {
-            diagnosticLogBuilder = new DiagnosticLog.DiagnosticLogBuilder(SAML_INBOUND_SERVICE, SAML_LOGOUT_PROCESSING)
+            diagnosticLogBuilder = new DiagnosticLog.DiagnosticLogBuilder(SAML_INBOUND_SERVICE, PROCESS_SAML_LOGOUT)
                     .inputParam("status code", status)
                     .inputParam("destination", destination)
                     .resultMessage(statMsg)
@@ -385,7 +385,7 @@ private SAMLSSOReqValidationResponseDTO buildErrorResponse(String id, String sta
         }
         if (LoggerUtils.isDiagnosticLogsEnabled()) {
             DiagnosticLog.DiagnosticLogBuilder diagnosticLogBuilder = new DiagnosticLog.DiagnosticLogBuilder(
-                    SAML_INBOUND_SERVICE, SAML_LOGOUT_PROCESSING);
+                    SAML_INBOUND_SERVICE, PROCESS_SAML_LOGOUT);
             diagnosticLogBuilder.resultMessage("Error while processing the SAML logout request.")
                     .logDetailLevel(DiagnosticLog.LogDetailLevel.APPLICATION)
                     .resultStatus(DiagnosticLog.ResultStatus.FAILED)
diff --git a/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/processors/SPInitSSOAuthnRequestProcessor.java b/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/processors/SPInitSSOAuthnRequestProcessor.java
index 19d54faea..b2db5d6db 100644
--- a/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/processors/SPInitSSOAuthnRequestProcessor.java
+++ b/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/processors/SPInitSSOAuthnRequestProcessor.java
@@ -46,7 +46,7 @@
 import java.util.Optional;
 import java.util.UUID;
 
-import static org.wso2.carbon.identity.sso.saml.SAMLSSOConstants.LogConstants.ActionIDs.SAML_REQUEST_VALIDATION;
+import static org.wso2.carbon.identity.sso.saml.SAMLSSOConstants.LogConstants.ActionIDs.VALIDATE_SAML_REQUEST;
 import static org.wso2.carbon.identity.sso.saml.SAMLSSOConstants.LogConstants.SAML_INBOUND_SERVICE;
 
 public class SPInitSSOAuthnRequestProcessor implements SSOAuthnRequestProcessor{
@@ -58,7 +58,7 @@ public SAMLSSORespDTO process(SAMLSSOAuthnReqDTO authnReqDTO, String sessionId,
 
         if (LoggerUtils.isDiagnosticLogsEnabled()) {
             DiagnosticLog.DiagnosticLogBuilder diagnosticLogBuilder = new DiagnosticLog.DiagnosticLogBuilder(
-                    SAML_INBOUND_SERVICE, SAML_REQUEST_VALIDATION);
+                    SAML_INBOUND_SERVICE, VALIDATE_SAML_REQUEST);
             diagnosticLogBuilder.resultMessage("Validating SP initiated SAML Authentication Request.")
                     .inputParam(SAMLSSOConstants.LogConstants.InputKeys.SAML_REQUEST,
                             authnReqDTO.getRequestMessageString())
@@ -199,7 +199,7 @@ public SAMLSSORespDTO process(SAMLSSOAuthnReqDTO authnReqDTO, String sessionId,
             }
             if (LoggerUtils.isDiagnosticLogsEnabled() && samlssoRespDTO != null) {
                 DiagnosticLog.DiagnosticLogBuilder diagnosticLogBuilder = new DiagnosticLog.DiagnosticLogBuilder(
-                        SAML_INBOUND_SERVICE, SAML_REQUEST_VALIDATION);
+                        SAML_INBOUND_SERVICE, VALIDATE_SAML_REQUEST);
                 diagnosticLogBuilder.resultMessage("SAML Request validation successful.")
                         .inputParam(SAMLSSOConstants.LogConstants.InputKeys.CONSUMER_URL,
                                 samlssoRespDTO.getAssertionConsumerURL())
@@ -339,7 +339,7 @@ private SAMLSSORespDTO buildErrorResponse(String id, List<String> statusCodeList
         samlSSORespDTO.setSessionEstablished(false);
         if (LoggerUtils.isDiagnosticLogsEnabled()) {
             DiagnosticLog.DiagnosticLogBuilder diagnosticLogBuilder = new DiagnosticLog.DiagnosticLogBuilder(
-                    SAML_INBOUND_SERVICE, SAML_REQUEST_VALIDATION);
+                    SAML_INBOUND_SERVICE, VALIDATE_SAML_REQUEST);
             diagnosticLogBuilder.logDetailLevel(DiagnosticLog.LogDetailLevel.APPLICATION)
                     .inputParam("saml request", requestMessageString)
                     .inputParam("error saml response", encodedResponse)
diff --git a/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/servlet/SAMLSSOProviderServlet.java b/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/servlet/SAMLSSOProviderServlet.java
index 408d9081d..2cbf19459 100644
--- a/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/servlet/SAMLSSOProviderServlet.java
+++ b/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/servlet/SAMLSSOProviderServlet.java
@@ -117,7 +117,7 @@
 import static org.wso2.carbon.identity.application.authentication.framework.util.FrameworkConstants.RequestParams.TENANT_DOMAIN;
 import static org.wso2.carbon.identity.sso.saml.SAMLSSOConstants.LogConstants.ActionIDs.HAND_OVER_TO_FRAMEWORK;
 import static org.wso2.carbon.identity.sso.saml.SAMLSSOConstants.LogConstants.ActionIDs.PROCESS_SAML_REQUEST;
-import static org.wso2.carbon.identity.sso.saml.SAMLSSOConstants.LogConstants.ActionIDs.SAML_REQUEST_VALIDATION;
+import static org.wso2.carbon.identity.sso.saml.SAMLSSOConstants.LogConstants.ActionIDs.VALIDATE_SAML_REQUEST;
 import static org.wso2.carbon.identity.sso.saml.SAMLSSOConstants.LogConstants.SAML_INBOUND_SERVICE;
 
 /**
@@ -577,7 +577,7 @@ private void sendNotification(String errorResp, String status, String message,
                                   HttpServletResponse resp) throws ServletException, IOException {
 
         DiagnosticLog.DiagnosticLogBuilder diagnosticLogBuilder = new DiagnosticLog.DiagnosticLogBuilder(
-                SAML_INBOUND_SERVICE, SAML_REQUEST_VALIDATION);
+                SAML_INBOUND_SERVICE, VALIDATE_SAML_REQUEST);
         if (LoggerUtils.isDiagnosticLogsEnabled()) {
             diagnosticLogBuilder.resultMessage("An error occurred while processing the SAML request. Prompts user " +
                             "a notification.")