Accounting Service - SSO

Introduction

Accounting Service is used to gather events of authenticated users in your system. This data is then further used for reporting active users in your system. You will be able to get out three different reports from this service:

  • Monthly active unique user counts per authentication method which is needed to provide correct information to Ubisecure for monthly billing purposes
  • Daily active unique users per authentication method
  • Daily successful authentication events

The Accounting Service is installed as part of SSO installation and requires that you have PostgreSQL database available for storing this data. See pages under SSO Installation and SSO Upgrade for more details.

Terminology

TermDefinition
Authentication method

When a user is authenticated to use an application there can be several authentication methods linked to that application but the method to which the login is based on is chosen as the recorded authentication method.

In Accounting Service all authentication methods of the same type are counted as one. For instance if you have configured several social login methods with different OAuth2 providers those are not differentiated on the Accounting Service side but associated to the same authentication method (type): OAUTH2.

The list of currently supported authentication methods, see SSO Authentication methods

PASSWORD
TUPAS2
MOBILE.PKI
DIR.MOBILE.PKI
OAUTH2
SAML
OPENID.CONNECT
OPENID.RELYING
MOBILE.CONNECT
UBAA (deprecated)
UNREGISTERED.CIBA
DIR.CIBA
DIR.OTP
UNREGISTERED.SMTP
UNREGISTERED.SMS
DIRECT.SMS
TOTP
Ubisecure user identifier

Ubisecure user identifier is the user's identity as a Distinguished Name (DN) visible in the audit log, see Audit Log description. DN is unique but a person can be counted as many users if mapped to different DNs (registered in different directories, or registered and unregistered).

Active userA user that has logged in to the system in the given time frame,
Unique user

Accounting Service counts users on a daily basis and each unique combination of an authentication method and Ubisecure user identifier during the 24 hours day (between 00:00:00.000 - 23:59:59.999) is recorded as an active daily unique user.

NOTE that the user identifier is pseudonymised with an algorithm using a secret key before storing the event data. Thus changing the key in the middle of the month or having many keys in a clustered environment will make the same user to be counted as many.

Ticket granted eventAn SSO event when a user is authenticated and authorised to access an application.

SSO - Accounting Service integration

In order to collect the necessary data SSO sends an event to the Accounting Service each time a ticket granted entry is logged into SSO audit log, see Audit Log description.

Accounting Service handles the event asynchronously so that the effect to the SSO login performance is minimal. Accounting Service stores the event in its database for further processing. Therefore having the PostgreSQL database is a system requirement even if SSO does not use it directly.

Figure 1. SSO - Accounting Service collects SSO authentication events

Provided features

The following table describes the current Accounting Service features. See details about usage of this service, configuring it, and managing it.

FeatureDescription
Collect SSO ticket granted events

The steps included:

  • Reads a Java™ Messaging Service (JMS) message from the queue containing a ticket granted event from SSO
  • Generates a hash from "Ubisecure user identifier", which it uses as the Unique user ID
  • Secures other personally identifiable information (PII)
  • Stores the event to the respective table in the database
Calculate daily active unique users per authentication methodOn a daily basis a scheduled job processes the events in the database and calculates daily active unique users per authentication method which it stores to the respective table in the database. The job execution time is configurable.
Calculate monthly active unique user counts per authentication methodAt the end of the month a scheduled job calculates the total amount of unique active users per authentication method in a month and stores it to the respective table in the database.
Clean old data from the databaseA scheduled job deletes event and daily unique users data from the respective tables in the database. The job execution time and the amount of days to preserve data are configurable. Monthly data is not deleted.

Produce CSV about monthly active unique user counts

Returns the data to download for the given month in the Comma Separated Values (CSV) format with a row for each authentication method used in this month and the amount of unique active users for this method. The last row contains the sum of the rows above i.e. total number of unique users for all authentication methods in this month.

Produce CSV about daily active unique users

Returns the data to download for the given month in the CSV format including all the days in the specified month when the users have been authenticated to the system. For each day there is a row for each unique combination of an authentication method and a user ID.

Produce CSV about daily successful events

Returns the data to download for the given day in the CSV format with a row for each successful authentication event during that day.

Secured endpoints to download CSV

Accounting Service CSV download endpoints are protected using OAuth2, Ubisecure SSO being the OAuth2 provider. There are two layers of access: browser endpoints and API endpoints. See Using Accounting Service.

Secured endpoints for Accounting Service management

Accounting Service management endpoints are secured by HTTP Basic authentication. The username and password are configured in the SSO installation process. With the management endpoints you can get the basic info, check health, or configure log levels. See Accounting Service management.

Accounting Service feature documentation