Audit log description - SSO
Table of Contents
Introduction
While Ubisecure SSO writes several distinct logs, this page describes the audit log. The audit log is written to files which are named according to the convention uas_audit.[date].log. All log files beginning with uas_audit and continue with the [date] formatted as YYYY-MM-DD and end with a .log extension.
General format
The log is written in Comma Separated Values-format (CSV). Each row represents one log entry. Each entry contains several fields, these values are enclosed in quotation marks and are separated with commas. First field of each row is an ISO 8601 formatted timestamp. Second field is the client's IP address. Third field represents the type of the log entry. Remaining fields depend on the log entry type.
General log entry format:
Timestamp | IP-address | Type | ... |
Where fields are:
Field Name | Description |
|---|---|
Timestamp | Time when event occurred. ISO8601-formatted timestamp. |
IP-address | IP Address of user client |
Type | Type of event |
Entry types
There are currently ten possible log entry types: authentication method list, authentication method selected, login, invalid login, ticket granted, assertion received, access denied, logout, consent confirmed and consent rejected. Each of these will be detailed with example content for each field in the listing below.
Authentication method list
An authentication method list entry is generated when a user is shown the authentication method list.
"Authentication method list" - entry format:
Field Name | Timestamp | IP-address | "authentication method list" | Session ID | Authentication Request O rigin | User Agent |
|---|---|---|---|---|---|---|
Example Values |
|
|
|
|
|
|
Where fields are:
Field Name | Description |
|---|---|
Session ID | Unique identifier generated for the single sign-on session when it is created. |
Authentication Request Origin | The LDAP name of the client application which initiated the authentication process. |
User Agent | Identification of the Web client used for authentication from the "User-Agent" HTTP request header. |
Example:
"2003-08-25 12:57:02,622", "192.168.0.66", "authentication method list", "dfff2af759817ce44c3d31654e1b573", "cn=service,ou=example,dc=example ", "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.5a) Gecko/20030728 Mozilla Firebird/0.6.1"Authentication method selection
An authentication method selection entry is generated when a user selects an authentication method or there is only one applicable authentication method that the system selects.
"Authentication method selected" - entry format:
Field Name | Timestamp | IP-address | "authentication method selected" | Session ID | Authentication Method | Authentication Request Origin | User Agent |
|---|---|---|---|---|---|---|---|
Example Values |
|
|
|
|
|
|
|
Where fields are:
Field Name | Description |
|---|---|
Session ID | Unique identifier generated for the single sign-on session when it is created. |
Authentication Method | The name of the selected authentication method. |
Authentication Request Origin | The LDAP name of the client application which initiated the authentication process. |
User Agent | Identification of the Web client used for authentication from the "User-Agent" HTTP request header. |
Example:
"2003-08-25 12:57:44,449", "192.168.0.66", "authentication method selected", "dfff2af759817ce44c3d31654e1b573", "tupas.1", "cn=service,ou=example,dc=example", "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.5a) Gecko/20030728 Mozilla Firebird/0.6.1 "Login
A login entry is generated when a user has authenticated successfully. In SSO, this may occur several times during the same session.
"Login" - entry format:
Field Name | Timestamp | IP-address | "login" | Session ID | Authentication ID | Authentication Method | Ubisecure User ID | Authentication Method User ID | Authentication Request Origin | 3rd Party Authentication ID | User Agent |
|---|---|---|---|---|---|---|---|---|---|---|---|
Example Values |
|
|
|
|
|
|
|
|
|
|
|
Where fields are:
Field Name | Description |
|---|---|
Session ID | Unique identifier generated for the single sign-on session when it is created. |
Authentication ID | Identifier generated by SSO for an authentication within the single sign-on session. |
Authentication Method | Name of the used authentication method. |
Ubisecure User ID | Unique identifier for the user. For users registered in the user directory, this is the LDAP nam. For other users, it is formed from the Authentication Method User ID and the LDAP name of the authentication method used. |
Authentication Method User ID | Authentication Method User ID value is dependant on used authentication method:
|
Authentication Request Origin | The LDAP name of the client application which initiated the authentication process. |
3rd Party Authentication ID | Identifier of the authentication event, which can be specified by the 3rd party identity provider. If the 3rd party identity provider doesn't specify an identifier, then SSO generates a random string and uses it as the value instead. Some authentication methods which set the Authenticator ID:
|
User Agent | Value of User-Agent HTTP request header. |
Example:
"2003-08-25 12:58:07,250" ,"192.168.0.66" ,"login", "dfff2af759817ce44c3d31654e1b573", "1dc4a5c9c4228be", "tupas.1", "uid=010101+2221,cn=tupas.1,cn=Server,ou=System,dc=example", "010101+2221","cn=service,ou=example,dc=example","805485067", "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.5a) Gecko/20030728 Mozilla Firebird/0.6.1"Invalid login
An invalid login entry is generated when a user authentication fails. This failure can be for any reason, any session that does not complete during authentication will be logged as an invalid login with the reason for login failure stated in the log entry.
"invalid login" - entry format:
Field Name | Timestamp | IP-address | "invalid login" | Session ID | Authentication Method | Authentication Method User ID | Authentication Request Origin | Reason For Failure | User Agent |
|---|---|---|---|---|---|---|---|---|---|
Example Values |
|
|
|
|
|
|
|
|
|
Where fields are:
Field Name | Description |
|---|---|
Session ID | Unique identifier generated for the single sign-on session when it is created. |
Authentication Method | Name of the used authentication method. |
Authentication Method User ID | Authentication Method User ID value is dependant on used authentication method:
|
Authentication Request Origin | The LDAP name of the client application which initiated the authentication process. |
Reason for Failure | Reason for login failure. |
User Agent | Value of User-Agent HTTP request header. |
Example:
"2020-05-29 08:50:01,090","172.27.0.1","invalid login","_e89ac671b7b5ec6a2fce69664f9eaca390a916a4","password.1","exampeUser","cn=Ubilogin,ou=System,cn=Ubilogin,dc=test","The user was not found","Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0"Ticket granted
A ticket granted entry is generated when a user is granted access to the client application.
"Ticket granted"-entry format:
Field Name | Timestamp | IP-Address | "ticket granted" | Session ID | Authentication ID | Authentication Request Origin | Redirect URL | Ubisecure User ID | Web Application User ID | User Agent |
|---|---|---|---|---|---|---|---|---|---|---|
Example Values |
|
|
|
|
|
|
|
|
|
|
Where fields are:
Field Name | Description |
|---|---|
Session ID | Unique identifier generated for the single sign-on session when it is created. |
Authentication ID | Identifier generated by SSO for an authentication within the single sign-on session. |
Authentication Request Origin | The LDAP name of the client application which initiated the authentication process. |
Redirect URL | The URL to forward the user to after the authentication flow has been completed. |
Ubisecure User ID | Unique identifier for the user. For users registered in the user directory it is the LDAP name, and for other users it is formed from the Authentication Method User ID and the LDAP name of the authentication method used. |
Web Application User ID | The username sent to the application. The source of this data depends on the type of the application. Administrators can override this by setting a value in the authorization policy with attribute name 'username' which allows customizing the logged value. |
User Agent | Value of User-Agent HTTP request header. |
Example:
"2020-05-27 13:30:02,547","192.168.0.66","ticket granted","_11a098a6b573f8eb8e57a0bdd04ac784a9337b4c","4955a04e12589570","cn=client1,ou=OIDC-testing,ou=System,cn=Ubilogin,dc=test","https://www.example.com/","CN=Stephen Butterworth,OU=Example,CN=Ubilogin,DC=test","stephen.butterworth@example.org","Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36"Access denied
An access denied entry is generated when an authenticated user is denied access to a web application.
"Access denied" - entry format:
Field Name | Timestamp | IP-Address | "access denied" | Session ID | Authentication Request Origin | Reason of Denial | User Agent |
|---|---|---|---|---|---|---|---|
Example Values |
|
|
|
|
|
|
|
Where fields are:
Field Name | Description |
|---|---|
Session ID | Unique identifier generated for the single sign-on session when it is created. |
Authentication Request Origin | The LDAP name of the client application which initiated the authentication process. |
Reason of Denial | Reason for access denial. |
User Agent | Value of User-Agent HTTP request header. |
Example:
"2003-08-26 13:50:39,244", "192.168.0.66", "access denied", "bb4d4463c8e45564e41cb62d734eee1b", "cn=Ubilogin,ou=System,dc=example", "No permission", "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.5a) Gecko/20030728 Mozilla Firebird/0.6.1"Assertion received
An assertion received entry is generated when an authentication assertion is received. (Exact attributes will vary depending on the authentication method used.)
"Assertion received"-entry format:
Field Name | Timestamp | IP-Address | "assertion received" | Session ID | Authentication Method | Authenticator ID | Attributes | User Agent |
|---|---|---|---|---|---|---|---|---|
Example Values |
|
|
|
|
|
|
|
|
Where fields are:
Field Name | Description |
|---|---|
Session ID | Unique identifier generated for the single sign-on session when it is created. |
Authentication Method | Name of the used authentication method. |
3rd Party Authentication ID | Identifier of the authentication event, which can be specified by the 3rd party identity provider. If the 3rd party identity provider doesn't specify an identifier, then SSO generates a random string and uses it as the value instead. Some authentication methods which set the Authenticator ID:
|
Attributes | Attributes configured to be shown in Audit Log. See more at: Logging attributes to audit log |
User Agent | Value of User-Agent HTTP request header. |
Example:
"2011-10-12 09:06:38,294","195.197.205.34","assertionreceived", _"cabe0d9d07d42172a8e7af5de2425dca1c9154dc","saml.vetuma.1","MPL_fcfe337dd7b3-89fb9311-09f6-4876-9592-0c58a7e6e353-bccf3cb3304b","urn%3Aoid%3A2.5.4.3=NORDEA+%2F+DEMO&urn%3Aoid%3A1.2.246.21=210281-9988&urn%3Aoid%3A1.3.6.1.4.1.31350.1.11=https%3A%2F%2Fsolo3.nordea.fi%2Fcgi-bin%2FSOLO3011","Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0.2) Gecko/20100101 Firefox/6.0.2"Logout
A logout entry is generated when a user logs out from Ubisecure SSO.
"Logout" - entry format:
Field Name | Timestamp | IP-Address | "logout" | Session ID | User Agent |
|---|---|---|---|---|---|
Example Values |
|
|
|
|