Audit User Request
Every time that Identify Runtime is sent a request of some sort, it will be registered into this table. There are various requests that a service provider may send to Identify Runtime. Some will have a user in context; others will not. The different types of events are registered into the column [AuditUserRequest].[UserRequestEventId] by an enumeration specifying the type of request that was received. The column [AuditUserRequest].[Value] will then store the specific values that the Request Event Type passed on to Identify Runtime. The details of the enumerations and types of values for these two columns are explained right after the column overview shown below.
| [Table].[Column] storing log information | Description of information stored |
| [AuditEvent].[EventType] | Identifies the event that is identified by the value in this column being AuditUserRequest. |
| [AuditEvent].[UTCTimestamp] | Specifies the date and time in UTC that the event occurred. |
| [AuditEvent].[UserName] | Saves the unique identity bearing claim in the Username column if this action is carried out via a federated user. The federated user might or might not exist in the Identify database; he will still be registered. |
| [AuditEvent].[ApplicationId] | Identifies the name of the service provider making a request for Identify Runtime. |
| [AuditUserRequest].[LocalTimestamp] | Specifies the local time on the server of the requesting party. |
| [AuditUserRequest].[UserRequestEventId] | See below. |
| [AuditUserRequest].[Value] | Specifies the value supplied for the request as appropriate for the specified User Request Event Id. |
Let’s take a closer look at the UserRequestEventIds that exist as well as the types of values that are stored with them. There may be two records for the same EventId (having the same "ID" in the [Value] field) as information is split every 10 lines of content.
| User Request Event Id | Description | Example of [AuditUserRequest].[Value] |
| 300 | This event is generated when a service provider sends a request to Identify as Identity Providerto request authentication. It contains information about requestor (IP-address, time stamp [IssueInstant], Issuer, AudienceRestriction) and Identify’s main endpoint, which receives requests from Service Providers and also is where responses are sent back to Service Providers (Destination). | IP-address: 127.0.0.1AuthnRequest: ID: id469275331fcb46e487a9c9dbeec1ed8f IssueInstant: 2011-09-23T15:07:34.0511250Z Destination: https://identify1.safewhere.local/runtime/saml2/issue.idpIsPassive: false Issuer: https://spdemo.safewhere.local/AudienceRestriction: https://spdemo.safewhere.local/ |
| 303 | Login requestThis event is generated when Identify acts as a service provider and it receives a login request then forwards this to Identity Provider (Destination). Some additional information is provided as well: IP-address, time stamp [IssueInstant]. | IP-address: 127.0.0.1AuthnRequest: ID: id1775e0696210459f8007bfa9f9a4e04a IssueInstant: 2011-08-16T16:19:43.0078125Z Destination: https://fed.safewhere.local/adfs/ls/IsPassive: false Issuer: https://identify1.safewhere.local/runtime/AudienceRestriction: https://identify1.safewhere.local/runtime/ |
| 304 | Authentication infoThis event is generated when Identify Runtime selects the connection to process login requests with information about the connectionID in DB (SelectedAuthnConnectionId) and corresponding URL (rawURL). | IP-address: 127.0.0.1SelectedAuthnConnectionId: 2a5e4c05-37c4-4108-a4dc-239wer23eccc3 rawUrl: https://identify1.safewhere.local:443/runtime/usernamepasswordauth/login.idp |
| 305 | Login authentication result info This event is generated to indicate whether the authentication is successful (True) or not (False). | AuthenticationSucceeded: True |
| 306 | Login Authentication response infoThis event is generated with some information about Security Token lifetime and some additional information for SAML 2 protocol. There may be two events having the same Instance Ids, as mentioned on the top of the table | RequestSecurityTokenResponse:ReplyTo: https://identify1.safewhere.local/admin/Lifetime: Created: 2011-09-22T03:42:14.9109219Z Expires: 2011-09-22T04:42:14.9109219Z AppliesTo: https://identify1.safewhere.local/admin/NotBefore: 2011-09-22T03:42:14.9109219Z NotOnOrAfter: 2011-09-22T04:42:14.9109219Z Audience: https://identify1.safewhere.local/admin/Instance Id: 185222df-9795-470f-9f12-d0348168c3b8 IP-address: 127.0.0.1 Assertion: ID: idaf71f6366983437b8bc6ef2f211e043e IssueInstant: 2011-09-23T16:18:00.0706563Z Issuer: https://identify1.safewhere.local/runtime/InResponseTo: id143ab70d4b1145099dc9b8184653fd7a NotBefore: 2011-09-23T16:28:00.0716328Z NotOnOrAfter: 2011-09-23T17:18:00.0726094Z Recipient: https://spdemo.safewhere.local/Instance Id: 185222df-9795-470f-9f12-d0348168c3b8 AudienceRestriction: https://spdemo.safewhere.local/AuthnInstant: 2011-09-23T16:18:00.0726094Z SessionIndex: 1532239041 SessionNotOnOrAfter: NameId: admin NameIdFormat: urn:oasis:names:tc:SAML:2.0:nameid-format:persistent RequestSecurityTokenResponse: ReplyTo: https://identify1.safewhere.local/admin/Lifetime: Created: 2011-09-23T15:34:18.4026875Z Expires: 2011-09-23T16:34:18.4026875Z AppliesTo: https://identify1.safewhere.local/admin/NotBefore: 2011-09-23T15:34:18.4026875Z NotOnOrAfter: 2011-09-23T16:34:18.4026875Z Audience: https://identify1.safewhere.local/admin/ |
| 307 | Login final request infoThis event is generated with some information about Security Token lifetime and some additional information for SAML 2 protocol. There may be two events having the same Instance Ids, as mentioned at the top of the table. | Instance Id: eea4ca09-52b3-490e-ac03-2938e9f2a5ceIP-address: 192.168.127.1 Assertion: ID: _0b0f35d5-9d43-44e5-a2de-0fb32511d97e IssueInstant: 2011-08-17T03:23:32.3880000Z Issuer: http://fed.safewhere.local/adfs/services/trustInResponseTo: id23d3d39c380c4c54b109d15b21be1f25 NotBefore: 2011-08-17T03:23:32.1340000Z NotOnOrAfter: 2011-08-17T04:23:32.1340000Z Recipient: https://identify1.safewhere.local/runtime/saml2auth/consume.idp |
| 400 | Login authentication user info This event is generated when Identity Provider receives the user login info. At this point, it is the username that is received. | UserName: admin |
| 500 | Claim informationGenerated with request claim(s) info. | http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name: admin |
| 501 | Claim informationGenerated with response claim(s) info. | http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name: admin http://schemas.microsoft.com/ws/2008/06/identity/claims/role: ClaimAdmin,ConnectionAdmin,OrganizationAdmin,UserAdmin |
| 600 | Signature infoGenerated with certificates info. | Signature: <xenc:EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"><xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc" /><KeyInfoxmlns="http://www.w3.org/2000/09/xmldsig#"><e:EncryptedKey xmlns:e="http://www.w3.org/2001/04/xmlenc#"><e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"> |
| 330 | Logout initial requestThis event is generated when a service provider sends a logout request to Identify. It contains information about requestor (IP-address, time stamp [IssueInstant], Issuer, AudienceRestriction) and Identify’s main endpoint, which receives requests from Service Providers and also is where responses are sent back to Service Providers (Destination). | IP-address: 127.0.0.1Action: wsignout1.0 BaseUri: https://identify1.safewhere.local/runtime/WSFederation/WSFederation.idpReply: https://identify1.safewhere.local/admin/UserAdministration/MyProfileDetail.aspxwa: wsignout1.0 wreply: https://identify1.safewhere.local/admin/UserAdministration/MyProfileDetail.aspxIP-address: 127.0.0.1 LogoutRequest: ID: id8f4577743bda4fcfb0eea67ad27cc225 IssueInstant: 2011-08-16T15:29:56.2636718Z Destination: https://identify1.safewhere.local/runtime/saml2/issue.idpIssuer: https://spdemo.safewhere.localReason: urn:oasis:names:tc:SAML:2.0:logout:user NameId: admin NameIdFormat: urn:oasis:names:tc:SAML:2.0:nameid-format:persistent SessionIndex: 1979239448 |
| 331 | Logout requestThis event is generated when Identify acts as a service provider and it receives a logout request then forwards this to Identity Provider (Destination). Some additional information is provided as well: IP-address, time stamp [IssueInstant]. | IP-address: 192.168.127.1LogoutRequest: ID: id02ac0e0e0d77437f85255749d4552a0a IssueInstant: 2011-08-17T15:43:33.6142578Z Destination: https://fed.safewhere.local/adfs/ls/Issuer: https://identify1.safewhere.local/runtime/Reason: NameId: Administrator@globeteam.org NameIdFormat: urn:oasis:names:tc:SAML:2.0:nameid-format:persistent SessionIndex: _45cc26ee-3b07-4d75-a33b-1f2b90ed084a |
| 332 | Logout responseThis event is only generated when Identify acts as a SAML 2 service provider and it receives a logout response from the Identity Provider (Issuer). | IP-address: 192.168.127.1LogoutResponse: ID: _8bc5f635-ec50-4ca5-a7d7-726250992c44 IssueInstant: 2011-08-17T15:43:35.9950000Z Destination: https://identify1.safewhere.local/runtime/saml2auth/signoffresponse.idpIssuer: http://fed.safewhere.local/adfs/services/trustInResponseTo: id02ac0e0e0d77437f85255749d4552a0a StatusCode: urn:oasis:names:tc:SAML:2.0:status:Success |
| 333 | Logout final responseThis event is generated when all logout responses have been successful (and Identity Provider sends the final logout response to the SP who initiates logout). | IP-address: 127.0.0.1Action: wsignout1.0 BaseUri: https://identify1.safewhere.local/runtime/WSFederation/WSFederation.idpReply: https://identify1.safewhere.local/admin/UserAdministration/MyProfileDetail.aspxwa: wsignout1.0 wreply: https://identify1.safewhere.local/admin/UserAdministration/MyProfileDetail.aspxIP-address: 127.0.0.1 LogoutResponse: ID: id38028abd77884e588b09ecf911196b86 IssueInstant: 2011-09-23T17:30:37.0735860Z Destination: https://spdemo.safewhere.local/logout.ashxIssuer: https://identify1.safewhere.local/runtimeInResponseTo: id28003f34a8fb42c68c4fa5ab198cf946 StatusCode: urn:oasis:names:tc:SAML:2.0:status:Success |