Audit log description - SSO

Introduction

Ubisecure SSO writes several distinct logs. This page describes the audit log. The audit log is written to files named according to the convention uas_audit.[date].log, where [date] is the current date formatted as YYYY-MM-DD.

General format

The log is written in Comma Separated Values-format (CSV). Each row represents one log entry. Values of entry are enclosed in quotation marks and are separated with commas. First value of each row is ISO8601-formatted timestamp. Second value is the client's ip-address. Third value represents the type of the log entry. Remaining values are type-dependent.

Timestamp

IP-address

Type

…

…

General log entry format

Entry types

Possible log entry types are as follows: authentication method list, authentication method selected, login, invalid login, ticket granted, assertion received, access denied and logout.

Authentication method list

An authentication method list entry is logged when a user is shown the authentication method list.

Timestamp

IP-Address

"authentication method list"

Session identifier

Authentication request origin

User agent

"Authentication method list"-entry format

Example:

"2003-08-25 12:57:02,622", "192.168.0.66", "authentication method list", "dfff2af759817ce44c3d31654e1b573", "cn=service,ou=example,dc=example ", "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.5a) Gecko/20030728 Mozilla Firebird/0.6.1"


Authentication method selection

An authentication method selection entry is logged when a user selects an authentication method.

Timestamp

IP-Address

"authentication method selected"

Session identifier

Authentication method name

Autentication request origin

User agent

"Authentication method selected"-entry format

Example:

"2003-08-25 12:57:44,449", "192.168.0.66", "authentication method selected", "dfff2af759817ce44c3d31654e1b573", "tupas.1", "cn=service,ou=example,dc=example", "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.5a) Gecko/20030728 Mozilla Firebird/0.6.1 "

Login

A login entry is logged when a user is authenticated successfully.

Time

IP

"login"

Session identifier

Authentication identifier

Authentication method name

Ubisecure user identifier

Authentication method user identifier

Authentication request origin

3rd party authentication identifier

User agent

"Login"-entry format

Example:

"2003-08-25 12:58:07,250" ,"192.168.0.66" ,"login", "dfff2af759817ce44c3d31654e1b573", "1dc4a5c9c4228be", "tupas.1", "uid=010101+2221,cn=tupas.1,cn=Server,ou=System,dc=example", "010101+2221","cn=service,ou=example,dc=example","805485067", "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.5a) Gecko/20030728 Mozilla Firebird/0.6.1"

Invalid login

An invalid login entry is logged when a user authentication fails.

Timestamp

IP-Address

"invalid login"

Session identifier

Authentication method name

Authentication method user identifier

Authentication request origin

Reason for failure

User agent

"Invalid login"-entry format

Example:

"2003-08-25 12:57:55,144", "192.168.0.66", "invalid login", "dfff2af759817ce44c3d31654e1b573", "tupas.1", "Login cancelled", "cn=service,ou=example,dc=example", "tupas2_cancelled", "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.5a) Gecko/20030728 Mozilla Firebird/0.6.1"

Ticket granted

A ticket granted entry is logged when a user is granted a ticket to a web application.

Timestamp

IP-Address

"ticket granted"

Session identifier

Authentication identifier

Authentication request origin

Redirect URL

Ubisecure user identifier

Web application user identifier

User agent

"Ticket granted"-entry format

Example:

"2003-08-25 12:58:07,330", "192.168.0.66", "ticket granted", "dfff2af759817ce44c3d31654e1b573", "1dc4a5c9c4228be", "cn=service,ou=example,dc=example", "uid=010101+2221,cn=tupas.1,cn=Server,ou=System,dc=example", "uid=010101+2221,cn=tupas.1,cn=Server,ou=System,dc=example", "https://www.example.com", "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.5a) Gecko/20030728 Mozilla Firebird/0.6.1"

Access denied

An access denied entry is logged when an authenticated user is denied access to a web application.

Timestamp

IP-Address

"access denied"

Session identifier

Authentication request origin

Reason of denial

User agent

"Access denied"-entry format

Example:

"2003-08-26 13:50:39,244", "192.168.0.66", "access denied", "bb4d4463c8e45564e41cb62d734eee1b", "cn=Ubilogin,ou=System,dc=example", "No permission", "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.5a) Gecko/20030728 Mozilla Firebird/0.6.1"

Assertion received

An assertion received entry is logged when an authentication assertion is received. (Exact attributes vary depending on the authentication method.)

Timestamp

IP-Address

"assertion received"

Session identifier

Authentication method

Authenticator identifier

Attributes

User agent

"Assertion received"-entry format

Example:

"2011-10-12 09:06:38,294","195.197.205.34","assertionreceived", _"cabe0d9d07d42172a8e7af5de2425dca1c9154dc","saml.vetuma.1","MPL_fcfe337dd7b3-89fb9311-09f6-4876-9592-0c58a7e6e353-bccf3cb3304b","urn%3Aoid%3A2.5.4.3=NORDEA+%2F+DEMO&urn%3Aoid%3A1.2.246.21=210281-9988&urn%3Aoid%3A1.3.6.1.4.1.31350.1.11=https%3A%2F%2Fsolo3.nordea.fi%2Fcgi-bin%2FSOLO3011","Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0.2) Gecko/20100101 Firefox/6.0.2"

Logout

A logout entry is logged when a user logs out from Ubisecure SSO.

Timestamp

IP-Address

"logout"

Session identifier

User agent

"Logout"-entry format

Example:

"2003-08-25 12:58:08,993", "192.168.0.66", "logout", "dfff2af759817ce44c3d31654e1b573", "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.5a) Gecko/20030728 Mozilla Firebird/0.6.1"