Audit log description - SSO

Table of Contents

Introduction

While Ubisecure SSO writes several distinct logs, this page describes the audit log. The audit log is written to files which are named according to the convention uas_audit.[date].log.  All log files beginning with uas_audit and continue with the [date] formatted as YYYY-MM-DD and end with a .log extension.

General format

The log is written in Comma Separated Values-format (CSV). Each row represents one log entry. Each entry contains several fields, these values are enclosed in quotation marks and are separated with commas. First field of each row is an ISO 8601 formatted timestamp. Second field is the client's IP address. If "proxy.remote-addr-name = x-forwarded-for" is configured for the system, in addition to client's IP, the proxy IPs will also be included in comma-separated format. Third field represents the type of the log entry. Remaining fields depend on the log entry type. 

General log entry format:

TimestampIP-addressType...

Where fields are:

Field NameDescription
TimestampTime when event occurred. ISO8601-formatted timestamp.
IP-addressIP Address of user client / IP Address of user client, proxy IPs
TypeType of event

Entry types

There are currently ten possible log entry types:

  • authentication method list
  • authentication method selected
  • login
  • invalid login
  • ticket granted
  • assertion received
  • access denied
  • logout
  • consent confirmed
  • consent rejected  

Each of these will be detailed with example content for each field in the listing below. 

Authentication method list

An authentication method list entry is generated when a user is shown the authentication method list.

"Authentication method list" - entry format:

Field NameTimestampIP-address"authentication method list"Session ID

Authentication Request O

rigin

User Agent
Example Values
"2003-08-25 12:57:02,622"
"192.168.0.66"
"authentication method list"
"dfff2af759817ce44c3d31654e1b573"
"cn=service,ou=example,dc=example "
"Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.5a) Gecko/20030728 Mozilla Firebird/0.6.1"

Where fields are:

Field NameDescription
Session IDUnique identifier generated for the single sign-on session when it is created.
Authentication Request OriginThe LDAP name of the client application which initiated the authentication process.
User AgentIdentification of the Web client used for authentication from the "User-Agent" HTTP request header.

Example:

"2003-08-25 12:57:02,622", "192.168.0.66", "authentication method list", "dfff2af759817ce44c3d31654e1b573", "cn=service,ou=example,dc=example ", "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.5a) Gecko/20030728 Mozilla Firebird/0.6.1"

Authentication method selection

An authentication method selection entry is generated when a user selects an authentication method or there is only one applicable authentication method that the system selects.

"Authentication method selected" - entry format:

Field NameTimestampIP-address"authentication method selected"Session IDAuthentication MethodAuthentication Request OriginUser Agent
Example Values
"2003-08-25 12:57:44,449"
"192.168.0.66"
"authentication method selected"
"dfff2af759817ce44c3d31654e1b573"
"tupas.1"
"cn=service,ou=example,dc=example"
"Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.5a) Gecko/20030728 Mozilla Firebird/0.6.1 "

Where fields are:

Field NameDescription
Session IDUnique identifier generated for the single sign-on session when it is created.
Authentication MethodThe name of the selected authentication method.
Authentication Request OriginThe LDAP name of the client application which initiated the authentication process.
User AgentIdentification of the Web client used for authentication from the "User-Agent" HTTP request header.

Example:

"2003-08-25 12:57:44,449", "192.168.0.66", "authentication method selected", "dfff2af759817ce44c3d31654e1b573", "tupas.1", "cn=service,ou=example,dc=example", "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.5a) Gecko/20030728 Mozilla Firebird/0.6.1 "

Login

A login entry is generated when a user has authenticated successfully. In SSO, this may occur several times during the same session.

"Login" - entry format:

Field NameTimestampIP-address"login"Session IDAuthentication IDAuthentication MethodUbisecure User IDAuthentication Method User IDAuthentication Request Origin3rd Party Authentication IDUser Agent
Example Values
"2003-08-25 12:58:07,250"
"192.168.0.66"
"login"
"dfff2af759817ce44c3d31654e1b573"
"1dc4a5c9c4228be"
"tupas.1"
"uid=010101+2221,cn=tupas.1,cn=Server,ou=System,dc=example"
"010101+2221"
"cn=service,ou=example,dc=example"
"805485067"
"Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.5a) Gecko/20030728 Mozilla Firebird/0.6.1"

Where fields are:

Field NameDescription
Session IDUnique identifier generated for the single sign-on session when it is created.
Authentication IDIdentifier generated by SSO for an authentication within the single sign-on session.
Authentication MethodName of the used authentication method.
Ubisecure User ID

Unique identifier for the user

For users that are registered in an LDAP directory, this is their LDAP name.

For users that are registered in an SQL Directory, this is formed from their uniqueid and the LDAP name of the authentication method.

For other users, this is formed from the Authentication Method User ID and the LDAP name of the authentication method.

Authentication Method User ID

Authentication Method User ID value is dependant on used authentication method:

  • Password: Login name
  • SAML: Value of the NameID attribute of the Assertion element
  • OIDC: Value of the ID Token claim specified by usernameClaim conf string (sub by default)
Authentication Request OriginThe LDAP name of the client application which initiated the authentication process.
3rd Party Authentication ID

Identifier of the authentication event, which can be specified by the 3rd party identity provider. If the 3rd party identity provider doesn't specify an identifier, then SSO generates a random string  and uses it as the value instead.

Some authentication methods which set the Authenticator ID:

  • For SAML method it's the value of the ID attribute of the Assertion element.
  • For Authentication Provider (i.e. Ubilogin Agent V0) method it's the value of sessionid response parameter.
User AgentValue of User-Agent HTTP request header.

Example:

"2003-08-25 12:58:07,250" ,"192.168.0.66" ,"login", "dfff2af759817ce44c3d31654e1b573", "1dc4a5c9c4228be", "tupas.1", "uid=010101+2221,cn=tupas.1,cn=Server,ou=System,dc=example", "010101+2221","cn=service,ou=example,dc=example","805485067", "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.5a) Gecko/20030728 Mozilla Firebird/0.6.1"

Invalid login

An invalid login entry is generated when a user authentication fails. This failure can be for any reason, any session that does not complete during authentication will be logged as an invalid login with the reason for login failure stated in the log entry. 

"invalid login" - entry format:

Field NameTimestampIP-address"invalid login"Session IDAuthentication MethodAuthentication Method User IDAuthentication Request OriginReason For FailureUser Agent
Example Values
"2020-05-29 08:50:01,090"
"172.27.0.1"
"invalid login"
"_e89ac671b7b5ec6a2fce69664f9eaca390a916a4"
"password.1"
"exampeUser"
"cn=Ubilogin,ou=System,cn=Ubilogin,dc=test"
"The user was not found"
"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0"

Where fields are:

Field NameDescription
Session IDUnique identifier generated for the single sign-on session when it is created.
Authentication MethodName of the used authentication method.
Authentication Method User ID

Authentication Method User ID value is dependant on used authentication method:

  • Password: Login name
  • SAML: Value of the NameID attribute of the Assertion element
  • OIDC: ID Token's sub attribute
Authentication Request OriginThe LDAP name of the client application which initiated the authentication process.
Reason for FailureReason for login failure.
User AgentValue of User-Agent HTTP request header.

Example:

"2020-05-29 08:50:01,090","172.27.0.1","invalid login","_e89ac671b7b5ec6a2fce69664f9eaca390a916a4","password.1","exampeUser","cn=Ubilogin,ou=System,cn=Ubilogin,dc=test","The user was not found","Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0"

Ticket granted

A ticket granted entry is generated when a user is granted access to the client application.

"Ticket granted"-entry format:

Field Name

Timestamp

IP-Address

"ticket granted"

Session ID

Authentication ID

Authentication Request Origin

Redirect URL

Ubisecure User ID

Web Application User ID

User Agent

Example Values
"2020-05-27 13:30:02,547"
"192.168.0.66"
"ticket granted"
"_11a098a6b573f8eb8e57a0bdd04ac784a9337b4c"
"4955a04e12589570"
"cn=client1,ou=OIDC-testing,ou=System,cn=Ubilogin,dc=test"
"https://www.example.com/"
"CN=Stephen Butterworth,OU=Example,CN=Ubilogin,DC=test"
"stephen.butterworth@example.org"
"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36"

Where fields are:

Field NameDescription
Session IDUnique identifier generated for the single sign-on session when it is created.
Authentication IDIdentifier generated by SSO for an authentication within the single sign-on session.
Authentication Request OriginThe LDAP name of the client application which initiated the authentication process.
Redirect URLThe URL to forward  the user to after the authentication flow has been completed.
Ubisecure User ID

Unique identifier for the user

For users that are registered in an LDAP directory, this is their LDAP name.

For users that are registered in an SQL Directory, this is formed from their uniqueid and the LDAP name of the authentication method.

For other users, this is formed from the Authentication Method User ID and the LDAP name of the authentication method.

Web Application User ID

The username sent to the application. The source of this data depends on the type of the application.

Administrators can override this by setting a value in the authorization policy with attribute name 'username' which allows customizing the logged value.

User AgentValue of User-Agent HTTP request header.

Example:

"2020-05-27 13:30:02,547","192.168.0.66","ticket granted","_11a098a6b573f8eb8e57a0bdd04ac784a9337b4c","4955a04e12589570","cn=client1,ou=OIDC-testing,ou=System,cn=Ubilogin,dc=test","https://www.example.com/","CN=Stephen Butterworth,OU=Example,CN=Ubilogin,DC=test","stephen.butterworth@example.org","Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36"

Access denied

An access denied entry is generated when an authenticated user is denied access to a web application.

"Access denied" - entry format:

Field Name

Timestamp

IP-Address

"access denied"

Session ID

Authentication Request Origin

Reason of Denial

User Agent

Example Values
"2003-08-26 13:50:39,244"
"192.168.0.66"
"access denied"
"bb4d4463c8e45564e41cb62d734eee1b"
"cn=Ubilogin,ou=System,dc=example"
"No permission"
"Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.5a) Gecko/20030728 Mozilla Firebird/0.6.1"

Where fields are:

Field NameDescription
Session IDUnique identifier generated for the single sign-on session when it is created.
Authentication Request OriginThe LDAP name of the client application which initiated the authentication process.
Reason of DenialReason for access denial.
User AgentValue of User-Agent HTTP request header.

Example:

"2003-08-26 13:50:39,244", "192.168.0.66", "access denied", "bb4d4463c8e45564e41cb62d734eee1b", "cn=Ubilogin,ou=System,dc=example", "No permission", "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.5a) Gecko/20030728 Mozilla Firebird/0.6.1"

Assertion received

An assertion received entry is generated when an authentication assertion is received. (Exact attributes will vary depending on the authentication method used.)

"Assertion received"-entry format:

Field Name

Timestamp

IP-Address

"assertion received"

Session ID

Authentication Method

Authenticator ID

Attributes

User Agent

Example Values
"2011-10-12 09:06:38,294"
"195.197.205.34"
"assertionreceived"
"cabe0d9d07d42172a8e7af5de2425dca1c9154dc"
"saml.vetuma.1"
"MPL_fcfe337dd7b3-89fb9311-09f6-4876-9592-0c58a7e6e353-bccf3cb3304b"
"urn%3Aoid%3A2.5.4.3=NORDEA+%2F+DEMO&urn%3Aoid%3A1.2.246.21=210281-9988&urn%3Aoid%3A1.3.6.1.4.1.31350.1.11=https%3A%2F%2Fsolo3.nordea.fi%2Fcgi-bin%2FSOLO3011"
"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0.2) Gecko/20100101 Firefox/6.0.2"

Where fields are:

Field NameDescription
Session IDUnique identifier generated for the single sign-on session when it is created.
Authentication MethodName of the used authentication method.
3rd Party Authentication ID

Identifier of the authentication event, which can be specified by the 3rd party identity provider. If the 3rd party identity provider doesn't specify an identifier, then SSO generates a random string  and uses it as the value instead.

Some authentication methods which set the Authenticator ID:

  • For SAML method it's the value of the ID attribute of the Assertion element.
  • For Authentication Provider (i.e. Ubilogin Agent V0) method it's the value of sessionid response parameter.
AttributesAttributes configured to be shown in Audit Log. See more at: Logging attributes to audit log
User AgentValue of User-Agent HTTP request header.

Example:

"2011-10-12 09:06:38,294","195.197.205.34","assertionreceived", _"cabe0d9d07d42172a8e7af5de2425dca1c9154dc","saml.vetuma.1","MPL_fcfe337dd7b3-89fb9311-09f6-4876-9592-0c58a7e6e353-bccf3cb3304b","urn%3Aoid%3A2.5.4.3=NORDEA+%2F+DEMO&urn%3Aoid%3A1.2.246.21=210281-9988&urn%3Aoid%3A1.3.6.1.4.1.31350.1.11=https%3A%2F%2Fsolo3.nordea.fi%2Fcgi-bin%2FSOLO3011","Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0.2) Gecko/20100101 Firefox/6.0.2"

Logout

A logout entry is generated when a user logs out from Ubisecure SSO.

"Logout" - entry format:

Field Name

Timestamp

IP-Address

"logout"

Session ID

User Agent

Example Values
"2003-08-25 12:58:08,993"
"192.168.0.66"
"logout"
"dfff2af759817ce44c3d31654e1b573"
"Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.5a) Gecko/20030728 Mozilla Firebird/0.6.1"

Where fields are:

Field NameDescription
Session IDUnique identifier generated for the single sign-on session when it is created.
User AgentValue of User-Agent HTTP request header.


Example:

"2003-08-25 12:58:08,993", "192.168.0.66", "logout", "dfff2af759817ce44c3d31654e1b573", "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.5a) Gecko/20030728 Mozilla Firebird/0.6.1"

Consent confirmed

A "consent confirmed" entry can be generated if a system, service or application is configured to require consent during the authentication process. The consent confirmed entry is generated after a successful login, meaning the user has accepted transmitting their personal data to the system, service or application they want to access. The consent confirmed entry is followed by a ticket granted entry.  See also, Consent rejected below.

"Consent confirmed"-entry format

Field name

Timestamp

IP-Address

Entry type

Session ID

Authentication ID

Authentication Request Origin

ScopesAudiencesUbisecure User IDWeb Application User ID

User agent

Example values"2003-08-25 12:57:02,622""192.168.0.66""consent confirmed""dfff2af759817ce44c3d31654e1b573"
"73b678dd2c736959"
"cn=service,ou=example,dc=example""scope1 scope2""client.id.1 client.id.2""uid=010101+2221,cn=authn.1,cn=Server,ou=System,dc=example""mappedUsername""Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.5a) Gecko/20030728 Mozilla Firebird/0.6.1"

Where fields are:

Field NameDescription
Session IDUnique identifier generated for the single sign-on session when it is created.
Authentication IDIdentifier generated by SSO for an authentication within the single sign-on session.
Authentication Request OriginThe LDAP name of the client application which initiated the authentication process.
ScopesScopes are relevant only for OAuth2 applications including OpenID Connect. Each scope defines a set of user attributes in the user's account. An application can request one or more scopes from which SSO derives the valid scopes that can be granted. The name of the requested scopes are then presented to the user in the consent screen, and the access token issued to the application will be limited to the scopes granted. In the audit log only the scopes mapped with the authorization policy to user attributes are listed in this column using a space as the delimiter between each scope.
AudiencesAudiences are relevant only for OAuth2 applications including OpenID Connect. If a scope an application is requesting refers to another application with that applications client ID in SSO, the IDs of those applications are listed in this column. This entry uses a space as the delimiter between of the application client IDs.
Ubisecure User ID

Unique identifier for the user

For users that are registered in an LDAP directory, this is their LDAP name.

For users that are registered in an SQL Directory, this is formed from their uniqueid and the LDAP name of the authentication method.

For other users, this is formed from the Authentication Method User ID and the LDAP name of the authentication method.

Web Application User ID

The username sent to the application. The source of this data depends on the type of the application.

Administrators can override this by setting a value in the authorization policy with attribute name 'username' which allows customizing the logged value.

User AgentValue of User-Agent HTTP request header.

Example:

"2020-05-27 13:30:02,439","0:0:0:0:0:0:0:1","consent confirmed","_11a098a6b573f8eb8e57a0bdd04ac784a9337b4c","4955a04e12589570","cn=client1,ou=OIDC-testing,ou=System,cn=Ubilogin,dc=test","name","","cn=Administrator,ou=System,cn=Ubilogin,dc=test","","Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36"

Consent rejected

A "consent rejected" entry can be generated if system is configured to require consent during the authentication process. The entry is generated after a successful login if the user rejects transmitting his/her data by cancelling the authentication process. Any time a user rejects, or declines to grant the requested scopes, a consent rejected log entry is generated.  See also, Consent confirmed above.

"Consent rejected"-entry format

Field name

Timestamp

IP-Address

Entry type

Session ID

Authentication ID

Authentication Request Origin

ScopesAudiencesUbisecure User IDWeb Application User ID

User agent

Example values"2003-08-25 12:57:02,622""192.168.0.66""consent rejected""dfff2af759817ce44c3d31654e1b573"
"73b678dd2c736959"
"cn=service,ou=example,dc=example""scope1 scope2""client.id.1 client.id.2""uid=010101+2221,cn=authn.1,cn=Server,ou=System,dc=example""mappedUsername""Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.5a) Gecko/20030728 Mozilla Firebird/0.6.1"

Where fields are:

Field NameDescription
Session IDUnique identifier generated for the single sign-on session when it is created.
Authentication IDIdentifier generated by SSO for an authentication within the single sign-on session.
Authentication Request OriginThe LDAP name of the client application which initiated the authentication process.
ScopesScopes are relevant only for OAuth2 applications including OpenID Connect. Each scope defines a set of user attributes in the user's account, An application can request one or more scopes from which SSO derives the valid scopes that can be granted. The name of those scopes are then presented to the user in the consent screen, which in this case the user rejects. In the audit log only the scopes mapped with the authorization policy to user attributes are listed in this column with space as the delimiter.
AudiencesAudiences are relevant only for OAuth2 applications including OpenID Connect. If a scope an application is requesting refers to another application with its client ID in SSO the IDs of those applications are listed in this column with space as the delimiter.
Ubisecure User ID

Unique identifier for the user

For users that are registered in an LDAP directory, this is their LDAP name.

For users that are registered in an SQL Directory, this is formed from their uniqueid and the LDAP name of the authentication method.

For other users, this is formed from the Authentication Method User ID and the LDAP name of the authentication method.

Web Application User ID

The username sent to the application. The source of this data depends on the type of the application.

Administrators can override this by setting a value in the authorization policy with attribute name 'username' which allows customizing the logged value.

User AgentValue of User-Agent HTTP request header.

Example:

"2020-05-27 13:29:46,547","0:0:0:0:0:0:0:1","consent rejected","_11a098a6b573f8eb8e57a0bdd04ac784a9337b4c","73b678dd2c736959","cn=client1,ou=OIDC-testing,ou=System,cn=Ubilogin,dc=test","name","","cn=Administrator,ou=System,cn=Ubilogin,dc=test","","Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36"