23.4 Enabling Identity Server Audit Events

  1. On the Home page, click Identity Servers > [cluster name] > Audit and Logging > Audit Logging.

  2. Enable Audit Logging.

  3. Select one or more of the following events:

    Select All Audit Logging Options: Enable this option to audit all events.

    Turn on the Audit Logging option for individual audit event, as relevant.

    Event

    Description

    SIGN IN

    Login Provided

    Generated when an identity provider sends authentication to a service provider. Role assignment audit events are included in authentication audit events for Identity Server.

    Login Provided Failure

    Generated when an identity provider attempts to send authentication to a service provider but fails.

    Login Consumed

    Generated when a user is authenticated locally or by an external identity provider. Role assignment audit events are included in authentication audit events for Identity Server.

    Login Consumed Failure

    Generated when Identity Server initiates authentication, but the process fails.

    SIGN OUT

    Logout Provided

    Generated when an identity provider sends a logout request to a service provider that it has authenticated.

    Logout Local

    Generated when Identity Server receives a logout command from a user.

    FEDERATION

    Federation Request Sent

    Generated when a service provider attempts to federate with an identity provider.

    Federation Request Handled

    Generated by Identity Server when processing a request for federation.

    Federation Token Sent

    Generated when a token is sent for federation.

    Federation Token Received

    Generated when a token is received for federation.

    DEFEDERATION

    Defederation Request Sent

    Generated when a request for defederation is sent to another provider.

    Defederation Request Handled

    Generated when Identity Server processes a request for defederation.

    REGISTER NAME

    Register Name Request Handled

    Generated when Identity Server processes a request for changing a name identifier.

    Attribute Query Request Handled

    Generated when processing an attribute request from a service provider.

    WEB SERVICE

     

    Web Service Query Handled

    Generated when a web service query request is sent to an identity provider.

    Web Service Modify Handled

    Generated when a web service modify request is sent to an identity provider.

    USER ACCOUNT

    User Account Provisioned

    Generated by Identity Server when functioning as an identity consumer and when an account has been provisioned.

    User Account Provisioned Failure

    Generated by Identity Server when functioning as an identity consumer and when account provisioning has failed.

    LDAP

    LDAP Connection Lost

    Generated when the LDAP connection is lost.

    LDAP Connection Reestablished

    Generated when the LDAP connection is reestablished.

    SERVER

    Server Started

    Generated when a server gets the start command from the server communications module.

    Server Stopped

    Generated when a server gets the stop command from the server communications module.

    Server Refreshed

    Generated when a server gets the refresh command from the server communications module.

    INTRUDER

     

    Intruder Lockout Detected

    Generated when an attempt to log in as a particular user with an invalid password has occurred more times than is allowed by the directory.

    COMPONENT LOG

    Component Log Severe Messages

    Logged for all component messages with level of Severe.

    Component Log Warning Messages

    Logged for all component messages with level of Warning.

    BROKERING

    Brokering Across Groups Denied

    Generated when a brokering authentication request denied to a target service provider. The brokering group consists of an identity provider or a target service provider, but both do not belong to the same group.

    Brokering Rule Evaluated to Deny

    Generated when a brokering authentication request denied to a target service provider due to broker policy evaluation resulted in denying.

    Brokering Handled

    The total number of brokering authentication requests handled by Identity Server when it started.

    WebService Request Authenticated

    Generated when a user is authenticated for requesting a token for a web service.

    WebService Request Authentication Failed

    Generated when a user’s authentication fails for requesting a token for a web service.

    TOKEN

    Token Issued To WebService

    Generated when a token is issued for accessing a web service.

    Token Issued To WebService Failed

    Generated when a request to issue a token for accessing a web service fails.

    Token Validated To A WebService

    Generated when a token is validated for a web service.

    Token Validation To WebService Failed

    Generated when a token validation for accessing a web service fails.

    Token Renewed

    Generated when a token is renewed for a web service.

    Token Renew Failed

    Generated when renewing a token for a web service fails.

    RISK-BASED

    Risk-Based Authentication Succeeded

    Generated when the rule execution succeeds.

    Risk-Based Authentication Failed

    Generated when the rule execution fails.

    Risk-Based Authentication Action Invoked

    Generated when the rule execution succeeds and the user is requested to perform additional authentication.

    Risk-based Pre-authentication Succeeded

    Generated when the pre-authentication rule execution succeeds.

    Risk-based Pre-authentication Failed

    Generated when the pre-authentication rule execution fails.

    Risk-based Pre-authentication Action Invoked

    Generated when the pre-authentication rule execution succeeds and the user is requested to perform additional authentication.

    Risk-based IP List Load From Datasource Failed

    Generated when fetching the IP address list from the datasource fails.

    Risk-based Device Fingerprint Rule Created

    Generated when a new fingerprint rule is created for a user device.

    Risk-based Device Fingerprint Rule Match Failed

    Generated when a device fingerprint does not match with the stored device fingerprint.

    OAUTH AND OPENID

    OAuth & OpenID Token Issued

    Generated when an OAuth Authorization code, OAuth token, ID token, or Refresh token is issued.

    Generated when Identity Server does not issue the code or the tokens for an OAuth authorization request that contains response_type as none.

    OAuth & OpenID Token Issue Failed

    Generated when OAuth Authorization code issue, OAuth token issue, ID Token issue, or Refresh token issue failed.

    OAuth Consent Provided

    Generated when OAuth consent is provided to a client application.

    OAuth Consent Revoked

    Generated when OAuth consent is revoked from a client application.

    OAuth Client Applications

    Generated in the following scenarios:

    • When a client is registered, updated, or deleted.

    • When a client registration fails.

    OAuth & OpenID Token Validation Success

    Generated when an OAuth and OpenID token is validated successfully.

    OAuth & OpenID Token Validation Failed

    Generated when an OAuth and OpenID token validation fails.

    OAuth Refresh Token Revocation Success

    Generated when an OAuth refresh token revocation request succeeds.

    OAuth Refresh Token Revocation Failed

    Generated when an OAuth refresh token revocation request fails.

    SESSION ASSURANCE

    Authorization Code from AA Server

    Generated when an authorization code is sent from the Advanced Authentication server to Access Manager.

    Access Token from AA Server

    Generated when an access token is sent from the Advanced Authentication server to Access Manager.

    Session Assurance Device Fingerprint Match Failed

    Generated when device fingerprint match fails for an Identity Server session.

    IMPERSONATION

    Impersonation Sign-in

    Generated when a helpdesk user logs in as an impersonator to a user’s setup.

    Impersonation Sign-out

    Generated when a helpdesk user logs out as an impersonator from a user’s setup.

    Impersonation Requested

    Generated when a request is sent to a user to allow impersonating the user’s identity.

    Impersonation Denied by Impersonatee

    Generated when a user denies the impersonation request.

    Impersonation Approved by Impersonatee

    Generated when a user approves the impersonation request.

    Impersonation Request Canceled by Impersonator

    Generated when an impersonator cancels the impersonation request sent to an impersonatee.

    Impersonation Policy Failed

    Generated when a helpdesk user tries to access own account as an impersonator.

    Federation Step-up

    Generated on success or failure of federated step-up authentication where Access Managers acts as a SAML 2.0 service provider.

  4. Click Save.

  5. Update the Identity Server.

Identity Server records the IP address of the client machine from where authentication requests originate into audit events. If the client machine is behind a proxy, the proxy IP address is logged. To log the actual client machine IP address instead of the proxy IP address, configure the RemoteIpValve in the Identity Server server.xml file. For information about how to modify a file, see Modifying Configurations.

For more information, see Remote IP Valve.

Recording the Source IP Address of the X-forwarded-header

To configure audit events to record the source IP address of the X-forwarded-header, perform the following steps:

  1. Add the following details after the Engine element in the server.xml file:

    For information about how to modify a file, see Modifying Configurations.

        <Engine defaultHost="localhost" name="Catalina">  
        <Valve className="org.apache.catalina.valves.RemoteIpValve"  
           internalProxies="IP addresses" />
  2. Substitute the IP addresses with the IP address of the proxy and load balancer.