Audit log description - SSO
Table of Contents
Introduction
While Ubisecure SSO writes several distinct logs, this page describes the audit log. The audit log is written to files which are named according to the convention uas_audit.[date].log. All log files beginning with uas_audit and continue with the [date] formatted as YYYY-MM-DD and end with a .log extension.
General format
The log is written in Comma Separated Values-format (CSV). Each row represents one log entry. Each entry contains several fields, these values are enclosed in quotation marks and are separated with commas. First field of each row is an ISO 8601 formatted timestamp. Second field is the client's IP address. If "proxy.remote-addr-name = x-forwarded-for" is configured for the system, in addition to client's IP, the proxy IPs will also be included in comma-separated format. Third field represents the type of the log entry. Remaining fields depend on the log entry type.
General log entry format:
| Timestamp | IP-address | Type | ... |
Where fields are:
| Field Name | Description |
|---|---|
| Timestamp | Time when event occurred. ISO8601-formatted timestamp. |
| IP-address | IP Address of user client / IP Address of user client, proxy IPs |
| Type | Type of event |
Entry types
There are currently ten possible log entry types: authentication method list, authentication method selected, login, invalid login, ticket granted, assertion received, access denied, logout, consent confirmed and consent rejected. Each of these will be detailed with example content for each field in the listing below.
Authentication method list
An authentication method list entry is generated when a user is shown the authentication method list.
"Authentication method list" - entry format:
| Field Name | Timestamp | IP-address | "authentication method list" | Session ID | Authentication Request O rigin | User Agent |
|---|---|---|---|---|---|---|
| Example Values | "2003-08-25 12:57:02,622" | "192.168.0.66" | "authentication method list" | "dfff2af759817ce44c3d31654e1b573" | "cn=service,ou=example,dc=example " | "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.5a) Gecko/20030728 Mozilla Firebird/0.6.1" |
Where fields are:
| Field Name | Description |
|---|---|
| Session ID | Unique identifier generated for the single sign-on session when it is created. |
| Authentication Request Origin | The LDAP name of the client application which initiated the authentication process. |
| User Agent | Identification of the Web client used for authentication from the "User-Agent" HTTP request header. |
Example:
"2003-08-25 12:57:02,622", "192.168.0.66", "authentication method list", "dfff2af759817ce44c3d31654e1b573", "cn=service,ou=example,dc=example ", "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.5a) Gecko/20030728 Mozilla Firebird/0.6.1"
Authentication method selection
An authentication method selection entry is generated when a user selects an authentication method or there is only one applicable authentication method that the system selects.
"Authentication method selected" - entry format:
| Field Name | Timestamp | IP-address | "authentication method selected" | Session ID | Authentication Method | Authentication Request Origin | User Agent |
|---|---|---|---|---|---|---|---|
| Example Values | "2003-08-25 12:57:44,449" | "192.168.0.66" | "authentication method selected" | "dfff2af759817ce44c3d31654e1b573" | "tupas.1" | "cn=service,ou=example,dc=example" | "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.5a) Gecko/20030728 Mozilla Firebird/0.6.1 " |
Where fields are:
| Field Name | Description |
|---|---|
| Session ID | Unique identifier generated for the single sign-on session when it is created. |
| Authentication Method | The name of the selected authentication method. |
| Authentication Request Origin | The LDAP name of the client application which initiated the authentication process. |
| User Agent | Identification of the Web client used for authentication from the "User-Agent" HTTP request header. |
Example:
"2003-08-25 12:57:44,449", "192.168.0.66", "authentication method selected", "dfff2af759817ce44c3d31654e1b573", "tupas.1", "cn=service,ou=example,dc=example", "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.5a) Gecko/20030728 Mozilla Firebird/0.6.1 "
Login
A login entry is generated when a user has authenticated successfully. In SSO, this may occur several times during the same session.
"Login" - entry format:
| Field Name | Timestamp | IP-address | "login" | Session ID | Authentication ID | Authentication Method | Ubisecure User ID | Authentication Method User ID | Authentication Request Origin | 3rd Party Authentication ID | User Agent |
|---|---|---|---|---|---|---|---|---|---|---|---|
| Example Values | "2003-08-25 12:58:07,250" | "192.168.0.66" | "login" | "dfff2af759817ce44c3d31654e1b573" | "1dc4a5c9c4228be" | "tupas.1" | "uid=010101+2221,cn=tupas.1,cn=Server,ou=System,dc=example" | "010101+2221" | "cn=service,ou=example,dc=example" | "805485067" | "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.5a) Gecko/20030728 Mozilla Firebird/0.6.1" |
Where fields are:
| Field Name | Description |
|---|---|
| Session ID | Unique identifier generated for the single sign-on session when it is created. |
| Authentication ID | Identifier generated by SSO for an authentication within the single sign-on session. |
| Authentication Method | Name of the used authentication method. |
| Ubisecure User ID | Unique identifier for the user For users that are registered in an LDAP directory, this is their LDAP name. For users that are registered in an SQL Directory, this is formed from their uniqueid and the LDAP name of the authentication method. For other users, this is formed from the Authentication Method User ID and the LDAP name of the authentication method. |
| Authentication Method User ID | Authentication Method User ID value is dependant on used authentication method:
|
| Authentication Request Origin | The LDAP name of the client application which initiated the authentication process. |
| 3rd Party Authentication ID | Identifier of the authentication event, which can be specified by the 3rd party identity provider. If the 3rd party identity provider doesn't specify an identifier, then SSO generates a random string and uses it as the value instead. Some authentication methods which set the Authenticator ID:
|
| User Agent | Value of User-Agent HTTP request header. |
Example:
"2003-08-25 12:58:07,250" ,"192.168.0.66" ,"login", "dfff2af759817ce44c3d31654e1b573", "1dc4a5c9c4228be", "tupas.1", "uid=010101+2221,cn=tupas.1,cn=Server,ou=System,dc=example", "010101+2221","cn=service,ou=example,dc=example","805485067", "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.5a) Gecko/20030728 Mozilla Firebird/0.6.1"
Invalid login
An invalid login entry is generated when a user authentication fails. This failure can be for any reason, any session that does not complete during authentication will be logged as an invalid login with the reason for login failure stated in the log entry.
"invalid login" - entry format:
| Field Name | Timestamp | IP-address | "invalid login" | Session ID | Authentication Method | Authentication Method User ID | Authentication Request Origin | Reason For Failure | User Agent |
|---|---|---|---|---|---|---|---|---|---|
| Example Values | "2020-05-29 08:50:01,090" | "172.27.0.1" | "invalid login" | "_e89ac671b7b5ec6a2fce69664f9eaca390a916a4" | "password.1" | "exampeUser" | "cn=Ubilogin,ou=System,cn=Ubilogin,dc=test" | "The user was not found" | "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0" |
Where fields are:
| Field Name | Description |
|---|---|
| Session ID | Unique identifier generated for the single sign-on session when it is created. |
| Authentication Method | Name of the used authentication method. |
| Authentication Method User ID | Authentication Method User ID value is dependant on used authentication method:
|
| Authentication Request Origin | The LDAP name of the client application which initiated the authentication process. |
| Reason for Failure | Reason for login failure. |
| User Agent | Value of User-Agent HTTP request header. |
Example:
"2020-05-29 08:50:01,090","172.27.0.1","invalid login","_e89ac671b7b5ec6a2fce69664f9eaca390a916a4","password.1","exampeUser","cn=Ubilogin,ou=System,cn=Ubilogin,dc=test","The user was not found","Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0"
Ticket granted
A ticket granted entry is generated when a user is granted access to the client application.
"Ticket granted"-entry format:
| Field Name | Timestamp | IP-Address | "ticket granted" | Session ID | Authentication ID | Authentication Request Origin | Redirect URL | Ubisecure User ID | Web Application User ID | User Agent |
|---|---|---|---|---|---|---|---|---|---|---|
| Example Values | "2020-05-27 13:30:02,547" | "192.168.0.66" | "ticket granted" | "_11a098a6b573f8eb8e57a0bdd04ac784a9337b4c" | "4955a04e12589570" | "cn=client1,ou=OIDC-testing,ou=System,cn=Ubilogin,dc=test" | "https://www.example.com/" | "CN=Stephen Butterworth,OU=Example,CN=Ubilogin,DC=test" | "stephen.butterworth@example.org" | "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36" |
Where fields are:
| Field Name | Description |
|---|---|
| Session ID | Unique identifier generated for the single sign-on session when it is created. |
| Authentication ID | Identifier generated by SSO for an authentication within the single sign-on session. |
| Authentication Request Origin | The LDAP name of the client application which initiated the authentication process. |
| Redirect URL | The URL to forward the user to after the authentication flow has been completed. |
| Ubisecure User ID | Unique identifier for the user For users that are registered in an LDAP directory, this is their LDAP name. For users that are registered in an SQL Directory, this is formed from their uniqueid and the LDAP name of the authentication method. For other users, this is formed from the Authentication Method User ID and the LDAP name of the authentication method. |
| Web Application User ID | The username sent to the application. The source of this data depends on the type of the application. Administrators can override this by setting a value in the authorization policy with attribute name 'username' which allows customizing the logged value. |
| User Agent | Value of User-Agent HTTP request header. |
Example:
"2020-05-27 13:30:02,547","192.168.0.66","ticket granted","_11a098a6b573f8eb8e57a0bdd04ac784a9337b4c","4955a04e12589570","cn=client1,ou=OIDC-testing,ou=System,cn=Ubilogin,dc=test","https://www.example.com/","CN=Stephen Butterworth,OU=Example,CN=Ubilogin,DC=test","stephen.butterworth@example.org","Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36"
Access denied
An access denied entry is generated when an authenticated user is denied access to a web application.
"Access denied" - entry format:
| Field Name | Timestamp | IP-Address | "access denied" | Session ID | Authentication Request Origin | Reason of Denial | User Agent |
|---|---|---|---|---|---|---|---|
| Example Values | "2003-08-26 13:50:39,244" | "192.168.0.66" | "access denied" | "bb4d4463c8e45564e41cb62d734eee1b" | "cn=Ubilogin,ou=System,dc=example" | "No permission" | "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.5a) Gecko/20030728 Mozilla Firebird/0.6.1" |
Where fields are:
| Field Name | Description |
|---|---|
| Session ID | Unique identifier generated for the single sign-on session when it is created. |
| Authentication Request Origin | The LDAP name of the client application which initiated the authentication process. |
| Reason of Denial | Reason for access denial. |
| User Agent | Value of User-Agent HTTP request header. |
Example:
"2003-08-26 13:50:39,244", "192.168.0.66", "access denied", "bb4d4463c8e45564e41cb62d734eee1b", "cn=Ubilogin,ou=System,dc=example", "No permission", "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.5a) Gecko/20030728 Mozilla Firebird/0.6.1"
Assertion received
An assertion received entry is generated when an authentication assertion is received. (Exact attributes will vary depending on the authentication method used.)
"Assertion received"-entry format:
| Field Name | Timestamp | IP-Address | "assertion received" | Session ID | Authentication Method | Authenticator ID | Attributes | User Agent |
|---|---|---|---|---|---|---|---|---|
| Example Values | "2011-10-12 09:06:38,294" | "195.197.205.34" | "assertionreceived" | "cabe0d9d07d42172a8e7af5de2425dca1c9154dc" | "saml.vetuma.1" | "MPL_fcfe337dd7b3-89fb9311-09f6-4876-9592-0c58a7e6e353-bccf3cb3304b" | "urn%3Aoid%3A2.5.4.3=NORDEA+%2F+DEMO&urn%3Aoid%3A1.2.246.21=210281-9988&urn%3Aoid%3A1.3.6.1.4.1.31350.1.11=https%3A%2F%2Fsolo3.nordea.fi%2Fcgi-bin%2FSOLO3011" | "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0.2) Gecko/20100101 Firefox/6.0.2" |
Where fields are:
| Field Name | Description |
|---|---|
| Session ID | Unique identifier generated for the single sign-on session when it is created. |
| Authentication Method | Name of the used authentication method. |
| 3rd Party Authentication ID | Identifier of the authentication event, which can be specified by the 3rd party identity provider. If the 3rd party identity provider doesn't specify an identifier, then SSO generates a random string and uses it as the value instead. Some authentication methods which set the Authenticator ID:
|
| Attributes | Attributes configured to be shown in Audit Log. See more at: Logging attributes to audit log |
| User Agent | Value of User-Agent HTTP request header. |
Example:
"2011-10-12 09:06:38,294","195.197.205.34","assertionreceived", _"cabe0d9d07d42172a8e7af5de2425dca1c9154dc","saml.vetuma.1","MPL_fcfe337dd7b3-89fb9311-09f6-4876-9592-0c58a7e6e353-bccf3cb3304b","urn%3Aoid%3A2.5.4.3=NORDEA+%2F+DEMO&urn%3Aoid%3A1.2.246.21=210281-9988&urn%3Aoid%3A1.3.6.1.4.1.31350.1.11=https%3A%2F%2Fsolo3.nordea.fi%2Fcgi-bin%2FSOLO3011","Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0.2) Gecko/20100101 Firefox/6.0.2"
Logout
A logout entry is generated when a user logs out from Ubisecure SSO.
"Logout" - entry format:
| Field Name | Timestamp | IP-Address | "logout" | Session ID | User Agent |
|---|---|---|---|---|---|
| Example Values | "2003-08-25 12:58:08,993" | "192.168.0.66" | "logout" | "dfff2af759817ce44c3d31654e1b573" | "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.5a) Gecko/20030728 Mozilla Firebird/0.6.1" |
Where fields are:
| Field Name | Description |
|---|---|
| Session ID | Unique identifier generated for the single sign-on session when it is created. |
| User Agent | Value of User-Agent HTTP request header. |
Example:
"2003-08-25 12:58:08,993", "192.168.0.66", "logout", "dfff2af759817ce44c3d31654e1b573", "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.5a) Gecko/20030728 Mozilla Firebird/0.6.1"
Consent confirmed
A "consent confirmed" entry can be generated if a system, service or application is configured to require consent during the authentication process. The consent confirmed entry is generated after a successful login, meaning the user has accepted transmitting their personal data to the system, service or application they want to access. The consent confirmed entry is followed by a ticket granted entry. See also, Consent rejected below.
"Consent confirmed"-entry format
| Field name | Timestamp | IP-Address | Entry type | Session ID | Authentication ID | Authentication Request Origin | Scopes | Audiences | Ubisecure User ID | Web Application User ID | User agent |
|---|---|---|---|---|---|---|---|---|---|---|---|
| Example values | "2003-08-25 12:57:02,622" | "192.168.0.66" | "consent confirmed" | "dfff2af759817ce44c3d31654e1b573" | "73b678dd2c736959" | "cn=service,ou=example,dc=example" | "scope1 scope2" | "client.id.1 client.id.2" | "uid=010101+2221,cn=authn.1,cn=Server,ou=System,dc=example" | "mappedUsername" | "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.5a) Gecko/20030728 Mozilla Firebird/0.6.1" |
Where fields are:
| Field Name | Description |
|---|---|
| Session ID | Unique identifier generated for the single sign-on session when it is created. |
| Authentication ID | Identifier generated by SSO for an authentication within the single sign-on session. |
| Authentication Request Origin | The LDAP name of the client application which initiated the authentication process. |
| Scopes | Scopes are relevant only for OAuth2 applications including OpenID Connect. Each scope defines a set of user attributes in the user's account. An application can request one or more scopes from which SSO derives the valid scopes that can be granted. The name of the requested scopes are then presented to the user in the consent screen, and the access token issued to the application will be limited to the scopes granted. In the audit log only the scopes mapped with the authorization policy to user attributes are listed in this column using a space as the delimiter between each scope. |
| Audiences | Audiences are relevant only for OAuth2 applications including OpenID Connect. If a scope an application is requesting refers to another application with that applications client ID in SSO, the IDs of those applications are listed in this column. This entry uses a space as the delimiter between of the application client IDs. |
| Ubisecure User ID | Unique identifier for the user For users that are registered in an LDAP directory, this is their LDAP name. For users that are registered in an SQL Directory, this is formed from their uniqueid and the LDAP name of the authentication method. For other users, this is formed from the Authentication Method User ID and the LDAP name of the authentication method. |
| Web Application User ID | The username sent to the application. The source of this data depends on the type of the application. Administrators can override this by setting a value in the authorization policy with attribute name 'username' which allows customizing the logged value. |
| User Agent | Value of User-Agent HTTP request header. |
Example:
"2020-05-27 13:30:02,439","0:0:0:0:0:0:0:1","consent confirmed","_11a098a6b573f8eb8e57a0bdd04ac784a9337b4c","4955a04e12589570","cn=client1,ou=OIDC-testing,ou=System,cn=Ubilogin,dc=test","name","","cn=Administrator,ou=System,cn=Ubilogin,dc=test","","Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36"
Consent rejected
A "consent rejected" entry can be generated if system is configured to require consent during the authentication process. The entry is generated after a successful login if the user rejects transmitting his/her data by cancelling the authentication process. Any time a user rejects, or declines to grant the requested scopes, a consent rejected log entry is generated. See also, Consent confirmed above.
"Consent rejected"-entry format
| Field name | Timestamp | IP-Address | Entry type | Session ID | Authentication ID | Authentication Request Origin | Scopes | Audiences | Ubisecure User ID | Web Application User ID | User agent |
|---|---|---|---|---|---|---|---|---|---|---|---|
| Example values | "2003-08-25 12:57:02,622" | "192.168.0.66" | "consent rejected" | "dfff2af759817ce44c3d31654e1b573" | "73b678dd2c736959" | "cn=service,ou=example,dc=example" | "scope1 scope2" | "client.id.1 client.id.2" | "uid=010101+2221,cn=authn.1,cn=Server,ou=System,dc=example" | "mappedUsername" | "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.5a) Gecko/20030728 Mozilla Firebird/0.6.1" |
Where fields are:
| Field Name | Description |
|---|---|
| Session ID | Unique identifier generated for the single sign-on session when it is created. |
| Authentication ID | Identifier generated by SSO for an authentication within the single sign-on session. |
| Authentication Request Origin | The LDAP name of the client application which initiated the authentication process. |
| Scopes | Scopes are relevant only for OAuth2 applications including OpenID Connect. Each scope defines a set of user attributes in the user's account, An application can request one or more scopes from which SSO derives the valid scopes that can be granted. The name of those scopes are then presented to the user in the consent screen, which in this case the user rejects. In the audit log only the scopes mapped with the authorization policy to user attributes are listed in this column with space as the delimiter. |
| Audiences | Audiences are relevant only for OAuth2 applications including OpenID Connect. If a scope an application is requesting refers to another application with its client ID in SSO the IDs of those applications are listed in this column with space as the delimiter. |
| Ubisecure User ID | Unique identifier for the user For users that are registered in an LDAP directory, this is their LDAP name. For users that are registered in an SQL Directory, this is formed from their uniqueid and the LDAP name of the authentication method. For other users, this is formed from the Authentication Method User ID and the LDAP name of the authentication method. |
| Web Application User ID | The username sent to the application. The source of this data depends on the type of the application. Administrators can override this by setting a value in the authorization policy with attribute name 'username' which allows customizing the logged value. |
| User Agent | Value of User-Agent HTTP request header. |
Example:
"2020-05-27 13:29:46,547","0:0:0:0:0:0:0:1","consent rejected","_11a098a6b573f8eb8e57a0bdd04ac784a9337b4c","73b678dd2c736959","cn=client1,ou=OIDC-testing,ou=System,cn=Ubilogin,dc=test","name","","cn=Administrator,ou=System,cn=Ubilogin,dc=test","","Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36"