Table of Contents

Introduction

While Ubisecure SSO writes several distinct logs, this page describes the audit log. The audit log is written to files which are named according to the convention uas_audit.[date].log. All log files beginning with uas_audit and continue with the [date] formatted as YYYY-MM-DD and end with a .log extension.

General format

The log is written in Comma Separated Values-format (CSV). Each row represents one log entry. Each entry contains several fields, these values are enclosed in quotation marks and are separated with commas. First field of each row is an ISO 8601 formatted timestamp. Second field is the client's IP address. If "proxy.remote-addr-name = x-forwarded-for" is configured for the system, in addition to client's IP, the proxy IPs will also be included in comma-separated format. Third field represents the type of the log entry. Remaining fields depend on the log entry type.

General log entry format:

Timestamp

IP-address

Type

...

Where fields are:

Field Name	Description
Timestamp	Time when event occurred. ISO8601-formatted timestamp.
IP-address	IP Address of user client / IP Address of user client, proxy IPs
Type	Type of event

Entry types

There are currently ten possible log entry types: authentication method list, authentication method selected, login, invalid login, ticket granted, assertion received, access denied, logout, consent confirmed and consent rejected. Each of these will be detailed with example content for each field in the listing below.

Authentication method list

An authentication method list entry is generated when a user is shown the authentication method list.

"Authentication method list" - entry format:

Field Name

Timestamp

IP-address

"authentication method list"

Session ID

Authentication Request O

rigin

User Agent

Example Values

"2003-08-25 12:57:02,622"

"192.168.0.66"

"authentication method list"

"dfff2af759817ce44c3d31654e1b573"

"cn=service,ou=example,dc=example "

"Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.5a) Gecko/20030728 Mozilla Firebird/0.6.1"

Where fields are:

Field Name	Description
Session ID	Unique identifier generated for the single sign-on session when it is created.
Authentication Request Origin	The LDAP name of the client application which initiated the authentication process.
User Agent	Identification of the Web client used for authentication from the "User-Agent" HTTP request header.

Example:

"2003-08-25 12:57:02,622", "192.168.0.66", "authentication method list", "dfff2af759817ce44c3d31654e1b573", "cn=service,ou=example,dc=example ", "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.5a) Gecko/20030728 Mozilla Firebird/0.6.1"

Authentication method selection

An authentication method selection entry is generated when a user selects an authentication method or there is only one applicable authentication method that the system selects.

"Authentication method selected" - entry format:

Field Name

Timestamp

IP-address

"authentication method selected"

Session ID

Authentication Method

Authentication Request Origin

User Agent

Example Values

"2003-08-25 12:57:44,449"

"192.168.0.66"

"authentication method selected"

"dfff2af759817ce44c3d31654e1b573"

"tupas.1"

"cn=service,ou=example,dc=example"

"Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.5a) Gecko/20030728 Mozilla Firebird/0.6.1 "

Where fields are:

Field Name	Description
Session ID	Unique identifier generated for the single sign-on session when it is created.
Authentication Method	The name of the selected authentication method.
Authentication Request Origin	The LDAP name of the client application which initiated the authentication process.
User Agent	Identification of the Web client used for authentication from the "User-Agent" HTTP request header.

Example:

"2003-08-25 12:57:44,449", "192.168.0.66", "authentication method selected", "dfff2af759817ce44c3d31654e1b573", "tupas.1", "cn=service,ou=example,dc=example", "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.5a) Gecko/20030728 Mozilla Firebird/0.6.1 "

A login entry is generated when a user has authenticated successfully. In SSO, this may occur several times during the same session.

"Login" - entry format:

Field Name

Timestamp

IP-address

"login"

Session ID

Authentication ID

Authentication Method

Ubisecure User ID

Authentication Method User ID

Authentication Request Origin

3^rd Party Authentication ID

User Agent

Example Values

"2003-08-25 12:58:07,250"

"192.168.0.66"

"login"

"dfff2af759817ce44c3d31654e1b573"

"1dc4a5c9c4228be"

"tupas.1"

"uid=010101+2221,cn=tupas.1,cn=Server,ou=System,dc=example"

"010101+2221"

"cn=service,ou=example,dc=example"

"805485067"

"Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.5a) Gecko/20030728 Mozilla Firebird/0.6.1"

Where fields are:

Field Name	Description
Session ID	Unique identifier generated for the single sign-on session when it is created.
Authentication ID	Identifier generated by SSO for an authentication within the single sign-on session.
Authentication Method	Name of the used authentication method.
Ubisecure User ID	Unique identifier for the user For users that are registered in an LDAP directory, this is their LDAP name. For users that are registered in an SQL Directory, this is formed from their uniqueid and the LDAP name of the authentication method. For other users, this is formed from the Authentication Method User ID and the LDAP name of the authentication method.
Authentication Method User ID	Authentication Method User ID value is dependant on used authentication method: Password: Login name SAML: Value of the `NameID` attribute of the `Assertion` element OIDC: Value of the ID Token claim specified by `usernameClaim` conf string (`sub` by default)
Authentication Request Origin	The LDAP name of the client application which initiated the authentication process.
3^rd Party Authentication ID	Identifier of the authentication event, which can be specified by the 3rd party identity provider. If the 3rd party identity provider doesn't specify an identifier, then SSO generates a random string and uses it as the value instead. Some authentication methods which set the Authenticator ID: For SAML method it's the value of the `ID` attribute of the `Assertion` element. For Authentication Provider (i.e. Ubilogin Agent V0) method it's the value of `sessionid` response parameter.
User Agent	Value of User-Agent HTTP request header.

Example:

"2003-08-25 12:58:07,250" ,"192.168.0.66" ,"login", "dfff2af759817ce44c3d31654e1b573", "1dc4a5c9c4228be", "tupas.1", "uid=010101+2221,cn=tupas.1,cn=Server,ou=System,dc=example", "010101+2221","cn=service,ou=example,dc=example","805485067", "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.5a) Gecko/20030728 Mozilla Firebird/0.6.1"

Invalid login

An invalid login entry is generated when a user authentication fails. This failure can be for any reason, any session that does not complete during authentication will be logged as an invalid login with the reason for login failure stated in the log entry.

"invalid login" - entry format:

Field Name

Timestamp

IP-address

"invalid login"

Session ID

Authentication Method

Authentication Method User ID

Authentication Request Origin

Reason For Failure

User Agent

Example Values

"2020-05-29 08:50:01,090"

"172.27.0.1"

"invalid login"

"_e89ac671b7b5ec6a2fce69664f9eaca390a916a4"

"password.1"

"exampeUser"

"cn=Ubilogin,ou=System,cn=Ubilogin,dc=test"

"The user was not found"

"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0"

Where fields are:

Field Name	Description
Session ID	Unique identifier generated for the single sign-on session when it is created.
Authentication Method	Name of the used authentication method.
Authentication Method User ID	Authentication Method User ID value is dependant on used authentication method: Password: Login name SAML: Value of the `NameID` attribute of the `Assertion` element OIDC: ID Token's `sub` attribute
Authentication Request Origin	The LDAP name of the client application which initiated the authentication process.
Reason for Failure	Reason for login failure.
User Agent	Value of User-Agent HTTP request header.

Example:

"2020-05-29 08:50:01,090","172.27.0.1","invalid login","_e89ac671b7b5ec6a2fce69664f9eaca390a916a4","password.1","exampeUser","cn=Ubilogin,ou=System,cn=Ubilogin,dc=test","The user was not found","Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0"

Ticket granted

A ticket granted entry is generated when a user is granted access to the client application.

"Ticket granted"-entry format:

Field Name

Timestamp

IP-Address

"ticket granted"

Session ID

Authentication ID

Authentication Request Origin

Redirect URL

Ubisecure User ID

Web Application User ID

User Agent

Example Values

"2020-05-27 13:30:02,547"

"192.168.0.66"

"ticket granted"

"_11a098a6b573f8eb8e57a0bdd04ac784a9337b4c"

"4955a04e12589570"

"cn=client1,ou=OIDC-testing,ou=System,cn=Ubilogin,dc=test"

"https://www.example.com/"

"CN=Stephen Butterworth,OU=Example,CN=Ubilogin,DC=test"

"stephen.butterworth@example.org"

"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36"

Where fields are:

Field Name	Description
Session ID	Unique identifier generated for the single sign-on session when it is created.
Authentication ID	Identifier generated by SSO for an authentication within the single sign-on session.
Authentication Request Origin	The LDAP name of the client application which initiated the authentication process.
Redirect URL	The URL to forward the user to after the authentication flow has been completed.
Ubisecure User ID	Unique identifier for the user For users that are registered in an LDAP directory, this is their LDAP name. For users that are registered in an SQL Directory, this is formed from their uniqueid and the LDAP name of the authentication method. For other users, this is formed from the Authentication Method User ID and the LDAP name of the authentication method.
Web Application User ID	The username sent to the application. The source of this data depends on the type of the application. Administrators can override this by setting a value in the authorization policy with attribute name 'username' which allows customizing the logged value.
User Agent	Value of User-Agent HTTP request header.

Example:

"2020-05-27 13:30:02,547","192.168.0.66","ticket granted","_11a098a6b573f8eb8e57a0bdd04ac784a9337b4c","4955a04e12589570","cn=client1,ou=OIDC-testing,ou=System,cn=Ubilogin,dc=test","https://www.example.com/","CN=Stephen Butterworth,OU=Example,CN=Ubilogin,DC=test","stephen.butterworth@example.org","Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36"

Access denied

An access denied entry is generated when an authenticated user is denied access to a web application.

"Access denied" - entry format:

Field Name

Timestamp

IP-Address

"access denied"

Session ID

Authentication Request Origin

Reason of Denial

User Agent

Example Values

"2003-08-26 13:50:39,244"

"192.168.0.66"

"access denied"

"bb4d4463c8e45564e41cb62d734eee1b"

"cn=Ubilogin,ou=System,dc=example"

"No permission"

"Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.5a) Gecko/20030728 Mozilla Firebird/0.6.1"

Where fields are:

Field Name	Description
Session ID	Unique identifier generated for the single sign-on session when it is created.
Authentication Request Origin	The LDAP name of the client application which initiated the authentication process.
Reason of Denial	Reason for access denial.
User Agent	Value of User-Agent HTTP request header.

Example:

"2003-08-26 13:50:39,244", "192.168.0.66", "access denied", "bb4d4463c8e45564e41cb62d734eee1b", "cn=Ubilogin,ou=System,dc=example", "No permission", "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.5a) Gecko/20030728 Mozilla Firebird/0.6.1"

Assertion received

An assertion received entry is generated when an authentication assertion is received. (Exact attributes will vary depending on the authentication method used.)

"Assertion received"-entry format:

Field Name

Timestamp

IP-Address

"assertion received"

Session ID

Authentication Method

Authenticator ID

Attributes

User Agent

Example Values

"2011-10-12 09:06:38,294"

"195.197.205.34"

"assertionreceived"

"cabe0d9d07d42172a8e7af5de2425dca1c9154dc"

"saml.vetuma.1"

"MPL_fcfe337dd7b3-89fb9311-09f6-4876-9592-0c58a7e6e353-bccf3cb3304b"

"urn%3Aoid%3A2.5.4.3=NORDEA+%2F+DEMO&urn%3Aoid%3A1.2.246.21=210281-9988&urn%3Aoid%3A1.3.6.1.4.1.31350.1.11=https%3A%2F%2Fsolo3.nordea.fi%2Fcgi-bin%2FSOLO3011"

"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0.2) Gecko/20100101 Firefox/6.0.2"

Where fields are:

Field Name	Description
Session ID	Unique identifier generated for the single sign-on session when it is created.
Authentication Method	Name of the used authentication method.
3^rd Party Authentication ID	Identifier of the authentication event, which can be specified by the 3rd party identity provider. If the 3rd party identity provider doesn't specify an identifier, then SSO generates a random string and uses it as the value instead. Some authentication methods which set the Authenticator ID: For SAML method it's the value of the `ID` attribute of the `Assertion` element. For Authentication Provider (i.e. Ubilogin Agent V0) method it's the value of `sessionid` response parameter.
Attributes	Attributes configured to be shown in Audit Log. See more at: Logging attributes to audit log
User Agent	Value of User-Agent HTTP request header.

Example:

"2011-10-12 09:06:38,294","195.197.205.34","assertionreceived", _"cabe0d9d07d42172a8e7af5de2425dca1c9154dc","saml.vetuma.1","MPL_fcfe337dd7b3-89fb9311-09f6-4876-9592-0c58a7e6e353-bccf3cb3304b","urn%3Aoid%3A2.5.4.3=NORDEA+%2F+DEMO&urn%3Aoid%3A1.2.246.21=210281-9988&urn%3Aoid%3A1.3.6.1.4.1.31350.1.11=https%3A%2F%2Fsolo3.nordea.fi%2Fcgi-bin%2FSOLO3011","Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0.2) Gecko/20100101 Firefox/6.0.2"

Logout

A logout entry is generated when a user logs out from Ubisecure SSO.

"Logout" - entry format:

Field Name	Timestamp	IP-Address	"logout"	Session ID	User Agent
Example Values	"2003-08-25 12:58:08,993"	"192.168.0.66"	"logout"	"dfff2af759817ce44c3d31654e1b573"	"Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.5a) Gecko/20030728 Mozilla Firebird/0.6.1"

Where fields are:

Field Name	Description
Session ID	Unique identifier generated for the single sign-on session when it is created.
User Agent	Value of User-Agent HTTP request header.

Example:

"2003-08-25 12:58:08,993", "192.168.0.66", "logout", "dfff2af759817ce44c3d31654e1b573", "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.5a) Gecko/20030728 Mozilla Firebird/0.6.1"

Consent confirmed

A "consent confirmed" entry can be generated if a system, service or application is configured to require consent during the authentication process. The consent confirmed entry is generated after a successful login, meaning the user has accepted transmitting their personal data to the system, service or application they want to access. The consent confirmed entry is followed by a ticket granted entry. See also, Consent rejected below.

"Consent confirmed"-entry format

Field name	Timestamp	IP-Address	Entry type	Session ID	Authentication ID	Authentication Request Origin	Scopes	Audiences	Ubisecure User ID	Web Application User ID	User agent
Example values	"2003-08-25 12:57:02,622"	"192.168.0.66"	"consent confirmed"	"dfff2af759817ce44c3d31654e1b573"	"73b678dd2c736959"	"cn=service,ou=example,dc=example"	"scope1 scope2"	"client.id.1 client.id.2"	"uid=010101+2221,cn=authn.1,cn=Server,ou=System,dc=example"	"mappedUsername"	"Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.5a) Gecko/20030728 Mozilla Firebird/0.6.1"

Where fields are:

Field Name	Description
Session ID	Unique identifier generated for the single sign-on session when it is created.
Authentication ID	Identifier generated by SSO for an authentication within the single sign-on session.
Authentication Request Origin	The LDAP name of the client application which initiated the authentication process.
Scopes	Scopes are relevant only for OAuth2 applications including OpenID Connect. Each scope defines a set of user attributes in the user's account. An application can request one or more scopes from which SSO derives the valid scopes that can be granted. The name of the requested scopes are then presented to the user in the consent screen, and the access token issued to the application will be limited to the scopes granted. In the audit log only the scopes mapped with the authorization policy to user attributes are listed in this column using a space as the delimiter between each scope.
Audiences	Audiences are relevant only for OAuth2 applications including OpenID Connect. If a scope an application is requesting refers to another application with that applications client ID in SSO, the IDs of those applications are listed in this column. This entry uses a space as the delimiter between of the application client IDs.
Ubisecure User ID	Unique identifier for the user For users that are registered in an LDAP directory, this is their LDAP name. For users that are registered in an SQL Directory, this is formed from their uniqueid and the LDAP name of the authentication method. For other users, this is formed from the Authentication Method User ID and the LDAP name of the authentication method.
Web Application User ID	The username sent to the application. The source of this data depends on the type of the application. Administrators can override this by setting a value in the authorization policy with attribute name 'username' which allows customizing the logged value.
User Agent	Value of User-Agent HTTP request header.

Example:

"2020-05-27 13:30:02,439","0:0:0:0:0:0:0:1","consent confirmed","_11a098a6b573f8eb8e57a0bdd04ac784a9337b4c","4955a04e12589570","cn=client1,ou=OIDC-testing,ou=System,cn=Ubilogin,dc=test","name","","cn=Administrator,ou=System,cn=Ubilogin,dc=test","","Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36"

Consent rejected

A "consent rejected" entry can be generated if system is configured to require consent during the authentication process. The entry is generated after a successful login if the user rejects transmitting his/her data by cancelling the authentication process. Any time a user rejects, or declines to grant the requested scopes, a consent rejected log entry is generated. See also, Consent confirmed above.

"Consent rejected"-entry format

Field name	Timestamp	IP-Address	Entry type	Session ID	Authentication ID	Authentication Request Origin	Scopes	Audiences	Ubisecure User ID	Web Application User ID	User agent
Example values	"2003-08-25 12:57:02,622"	"192.168.0.66"	"consent rejected"	"dfff2af759817ce44c3d31654e1b573"	"73b678dd2c736959"	"cn=service,ou=example,dc=example"	"scope1 scope2"	"client.id.1 client.id.2"	"uid=010101+2221,cn=authn.1,cn=Server,ou=System,dc=example"	"mappedUsername"	"Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.5a) Gecko/20030728 Mozilla Firebird/0.6.1"

Where fields are:

Field Name	Description
Session ID	Unique identifier generated for the single sign-on session when it is created.
Authentication ID	Identifier generated by SSO for an authentication within the single sign-on session.
Authentication Request Origin	The LDAP name of the client application which initiated the authentication process.
Scopes	Scopes are relevant only for OAuth2 applications including OpenID Connect. Each scope defines a set of user attributes in the user's account, An application can request one or more scopes from which SSO derives the valid scopes that can be granted. The name of those scopes are then presented to the user in the consent screen, which in this case the user rejects. In the audit log only the scopes mapped with the authorization policy to user attributes are listed in this column with space as the delimiter.
Audiences	Audiences are relevant only for OAuth2 applications including OpenID Connect. If a scope an application is requesting refers to another application with its client ID in SSO the IDs of those applications are listed in this column with space as the delimiter.
Ubisecure User ID	Unique identifier for the user For users that are registered in an LDAP directory, this is their LDAP name. For users that are registered in an SQL Directory, this is formed from their uniqueid and the LDAP name of the authentication method. For other users, this is formed from the Authentication Method User ID and the LDAP name of the authentication method.
Web Application User ID	The username sent to the application. The source of this data depends on the type of the application. Administrators can override this by setting a value in the authorization policy with attribute name 'username' which allows customizing the logged value.
User Agent	Value of User-Agent HTTP request header.

Example:

"2020-05-27 13:29:46,547","0:0:0:0:0:0:0:1","consent rejected","_11a098a6b573f8eb8e57a0bdd04ac784a9337b4c","73b678dd2c736959","cn=client1,ou=OIDC-testing,ou=System,cn=Ubilogin,dc=test","name","","cn=Administrator,ou=System,cn=Ubilogin,dc=test","","Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36"

Browser not supported