AuditUserRequest


Every time that Identify*Runtime is sent a request of some sort, it will be registered into this table. There are various requests that a service provider may send to Identify*Runtime. Some will have a user in context; others will not. The different types of events are registered into the column [AuditUserRequest].[UserRequestEventId] by an enumeration specifying the type of request that was received. The column [AuditUserRequest].[Value] will then store the specific values that the Request Event Type passed on to Identify*Runtime. The details of the enumerations and types of values for these two columns are explained right after the column overview shown below.

[Table].[Column] storing log information Description of information stored
[AuditEvent].[EventType] Identifies the event that is identified by the value in this column being AuditUserRequest.
[AuditEvent].[UTCTimestamp] Specifies the date and time in UTC that the event occurred.
[AuditEvent].[UserName] Saves the unique identity bearing claim in the Username column if this action is carried out via a federated user. The federated user might or might not exist in the Identify database; he will still be registered.
[AuditEvent].[ApplicationId] Identifies the name of the service provider making a request for Identify*Runtime.
[AuditUserRequest].[LocalTimestamp] Specifies the local time on the server of the requesting party.
[AuditUserRequest].[UserRequestEventId] See below.
[AuditUserRequest].[Value] Specifies the value supplied for the request as appropriate for the specified User Request Event Id.

Let’s take a closer look at the UserRequestEventIds that exist as well as the types of values that are stored with them. There may be two records for the same EventId (having the same "ID" in the [Value] field) as information is split every 10 lines of content.

User Request Event Id Description Example of [AuditUserRequest].[Value]
300 This event is generated when a service provider sends a request to Identify as Identity Provider to request authentication. It contains information about requestor (IP-address, time stamp [IssueInstant], Issuer, AudienceRestriction) and Identify’s main endpoint, which receives requests from Service Providers and also is where responses are sent back to Service Providers (Destination). IP-address: 127.0.0.1AuthnRequest:

ID: id469275331fcb46e487a9c9dbeec1ed8f

IssueInstant: 2011-09-23T15:07:34.0511250Z

Destination: https://identify1.safewhere.local/runtime/saml2/issue.idp

IsPassive: false

Issuer: https://spdemo.safewhere.local/

AudienceRestriction: https://spdemo.safewhere.local/

303 Login requestThis event is generated when Identify acts as a service provider and it receives a login request then forwards this to Identity Provider (Destination). Some additional information is provided as well: IP-address, time stamp [IssueInstant]. IP-address: 127.0.0.1AuthnRequest:

ID: id1775e0696210459f8007bfa9f9a4e04a

IssueInstant: 2011-08-16T16:19:43.0078125Z

Destination: https://fed.safewhere.local/adfs/ls/

IsPassive: false

Issuer: https://identify1.safewhere.local/runtime/

AudienceRestriction: https://identify1.safewhere.local/runtime/

304 Authentication infoThis event is generated when Identify Runtime selects the connection to process login requests with information about the connectionID in DB (SelectedAuthnConnectionId) and corresponding URL (rawURL). IP-address: 127.0.0.1SelectedAuthnConnectionId: 2a5e4c05-37c4-4108-a4dc-239wer23eccc3

rawUrl: https://identify1.safewhere.local:443/runtime/usernamepasswordauth/login.idp

305 Login authentication result infoThis event is generated to indicate whether the authentication is successful (True) or not (False). AuthenticationSucceeded: True
306 Login Authentication response infoThis event is generated with some information about Security Token lifetime and some additional information for SAML 2 protocol. There may be two events having the same Instance Ids, as mentioned on the top of the table RequestSecurityTokenResponse:ReplyTo: https://identify1.safewhere.local/admin/

Lifetime:

Created: 2011-09-22T03:42:14.9109219Z

Expires: 2011-09-22T04:42:14.9109219Z

AppliesTo: https://identify1.safewhere.local/admin/

NotBefore: 2011-09-22T03:42:14.9109219Z

NotOnOrAfter: 2011-09-22T04:42:14.9109219Z

Audience: https://identify1.safewhere.local/admin/

Instance Id: 185222df-9795-470f-9f12-d0348168c3b8

IP-address: 127.0.0.1

Assertion:

ID: idaf71f6366983437b8bc6ef2f211e043e

IssueInstant: 2011-09-23T16:18:00.0706563Z

Issuer: https://identify1.safewhere.local/runtime/

InResponseTo: id143ab70d4b1145099dc9b8184653fd7a

NotBefore: 2011-09-23T16:28:00.0716328Z

NotOnOrAfter: 2011-09-23T17:18:00.0726094Z

Recipient: https://spdemo.safewhere.local/

Instance Id: 185222df-9795-470f-9f12-d0348168c3b8

AudienceRestriction: https://spdemo.safewhere.local/

AuthnInstant: 2011-09-23T16:18:00.0726094Z

SessionIndex: 1532239041

SessionNotOnOrAfter:

NameId: admin

NameIdFormat: urn:oasis:names:tc:SAML:2.0:nameid-format:persistent

RequestSecurityTokenResponse:

ReplyTo: https://identify1.safewhere.local/admin/

Lifetime:

Created: 2011-09-23T15:34:18.4026875Z

Expires: 2011-09-23T16:34:18.4026875Z

AppliesTo: https://identify1.safewhere.local/admin/

NotBefore: 2011-09-23T15:34:18.4026875Z

NotOnOrAfter: 2011-09-23T16:34:18.4026875Z

Audience: https://identify1.safewhere.local/admin/

307 Login final request infoThis event is generated with some information about Security Token lifetime and some additional information for SAML 2 protocol. There may be two events having the same Instance Ids, as mentioned at the top of the table. Instance Id: eea4ca09-52b3-490e-ac03-2938e9f2a5ceIP-address: 192.168.127.1

Assertion:

ID: _0b0f35d5-9d43-44e5-a2de-0fb32511d97e

IssueInstant: 2011-08-17T03:23:32.3880000Z

Issuer: http://fed.safewhere.local/adfs/services/trust

InResponseTo: id23d3d39c380c4c54b109d15b21be1f25

NotBefore: 2011-08-17T03:23:32.1340000Z

NotOnOrAfter: 2011-08-17T04:23:32.1340000Z

Recipient: https://identify1.safewhere.local/runtime/saml2auth/consume.idp

400 Login authentication user infoThis event is generated when Identity Provider receives the user login info. At this point, it is the username that is received. UserName: admin
500 Claim informationGenerated with request claim(s) info. http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name: admin
501 Claim informationGenerated with response claim(s) info. http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name: admin   http://schemas.microsoft.com/ws/2008/06/identity/claims/role: ClaimAdmin,ConnectionAdmin,OrganizationAdmin,UserAdmin
600 Signature infoGenerated with certificates info. Signature: <xenc:EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"><xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc" /><KeyInfoxmlns="http://www.w3.org/2000/09/xmldsig#"><e:EncryptedKey xmlns:e="http://www.w3.org/2001/04/xmlenc#"><e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /></e:EncryptionMethod><KeyInfo><o:SecurityTokenReference xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"><X509Data><X509IssuerSerial><X509IssuerName>CN=Safewhere CA, DC=safewhere, DC=net</X509IssuerName><X509SerialNumber>21231109489652623217</X509SerialNumber></X509IssuerSerial></X509Data></o:SecurityTokenReference></KeyInfo><e:CipherData><e:CipherValue>GS7Vzt4HfpsBdEx/v…….Er7rRMMjTBC8uozf3P300t09BIh+uo</xenc:CipherValue></xenc:CipherData></xenc:EncryptedData>
330 Logout initial requestThis event is generated when a service provider sends a logout request to Identify. It contains information about requestor (IP-address, time stamp [IssueInstant], Issuer, AudienceRestriction) and Identify’s main endpoint, which receives requests from Service Providers and also is where responses are sent back to Service Providers (Destination). IP-address: 127.0.0.1Action: wsignout1.0

BaseUri: https://identify1.safewhere.local/runtime/WSFederation/WSFederation.idp

Reply: https://identify1.safewhere.local/admin/UserAdministration/MyProfileDetail.aspx

wa: wsignout1.0

wreply: https://identify1.safewhere.local/admin/UserAdministration/MyProfileDetail.aspx

IP-address: 127.0.0.1

LogoutRequest:

ID: id8f4577743bda4fcfb0eea67ad27cc225

IssueInstant: 2011-08-16T15:29:56.2636718Z

Destination: https://identify1.safewhere.local/runtime/saml2/issue.idp

Issuer: https://spdemo.safewhere.local/

Reason: urn:oasis:names:tc:SAML:2.0:logout:user

NameId: admin

NameIdFormat: urn:oasis:names:tc:SAML:2.0:nameid-format:persistent

SessionIndex: 1979239448

331 Logout requestThis event is generated when Identify acts as a service provider and it receives a logout request then forwards this to Identity Provider (Destination). Some additional information is provided as well: IP-address, time stamp [IssueInstant]. IP-address: 192.168.127.1LogoutRequest:

ID: id02ac0e0e0d77437f85255749d4552a0a

IssueInstant: 2011-08-17T15:43:33.6142578Z

Destination: https://fed.safewhere.local/adfs/ls/

Issuer: https://identify1.safewhere.local/runtime/

Reason:

NameId: Administrator@globeteam.org

NameIdFormat: urn:oasis:names:tc:SAML:2.0:nameid-format:persistent

SessionIndex: _45cc26ee-3b07-4d75-a33b-1f2b90ed084a

332 Logout responseThis event is only generated when Identify acts as a SAML 2 service provider and it receives a logout response from the Identity Provider (Issuer). IP-address: 192.168.127.1LogoutResponse:

ID: _8bc5f635-ec50-4ca5-a7d7-726250992c44

IssueInstant: 2011-08-17T15:43:35.9950000Z

Destination: https://identify1.safewhere.local/runtime/saml2auth/signoffresponse.idp

Issuer: http://fed.safewhere.local/adfs/services/trust

InResponseTo: id02ac0e0e0d77437f85255749d4552a0a

StatusCode: urn:oasis:names:tc:SAML:2.0:status:Success

333 Logout final responseThis event is generated when all logout responses have been successful (and Identity Provider sends the final logout response to the SP who initiates logout). IP-address: 127.0.0.1Action: wsignout1.0

BaseUri: https://identify1.safewhere.local/runtime/WSFederation/WSFederation.idp

Reply: https://identify1.safewhere.local/admin/UserAdministration/MyProfileDetail.aspx

wa: wsignout1.0

wreply: https://identify1.safewhere.local/admin/UserAdministration/MyProfileDetail.aspx

IP-address: 127.0.0.1

LogoutResponse:

ID: id38028abd77884e588b09ecf911196b86

IssueInstant: 2011-09-23T17:30:37.0735860Z

Destination: https://spdemo.safewhere.local/logout.ashx

Issuer: https://identify1.safewhere.local/runtime/

InResponseTo: id28003f34a8fb42c68c4fa5ab198cf946

StatusCode: urn:oasis:names:tc:SAML:2.0:status:Success