Every time that Identify*Runtime is sent a request of some sort, it will be registered into this table. There are various Requests that a Relying Party may send to Identify*Runtime; some will have a user in context, others will not. The different types of events are registered into the column [AuditUserRequest].[UserRequestEventId] by an enumeration specifying the type of request that was received. The column [AuditUserRequest].[Value] will then store the specific values that the Request Event Type passed on to Identify*Runtime. The details of the enumerations and types of values for these two columns are explained right after the column overview shown below here.
| [Table].[Column] storing log information | Description of information stored |
| [AuditEvent].[EventType] | Event is identified by value in this column being “AuditUserRequest” |
| [AuditEvent].[UTCTimestamp] | Specifies the date and time in UTC that the event occurred. |
| [AuditEvent].[UserName] | If this action is carried out via a federated user, his unique identity bearing claim will be saved into the username column. The federated user may or may not exist in the Identify database; he will still be registered. |
| [AuditEvent].[ApplicationId] | The name of the Relying Party making a request for Identify*Runtime |
| [AuditUserRequest].[LocalTimestamp] | The local time on the server of the Requesting Party. |
| [AuditUserRequest].[UserRequestEventId] | See below |
| [AuditUserRequest].[Value] | The value supplied for the request as appropriate for the specified User Request Event Id |
Let us take a closer look at the UserRequestEventIds that exist as well as the types of values that are stored with them. There may be two records for the same EventId (having same “ID” in [Value] field) as information is split every 10 lines of content.
| User Request Event Id | Description | Example of [AuditUserRequest].[Value] |
| 300 | User login initial request
This event is generated when a Relying Party sends a request to Identify as IdP to request authentication. It contains information about requestor (IP-address, time stamp [IssueInstant], Issuer, AudienceRestriction) and Identify’s main endpoint which receives requests from RPs and also is where responses are sent back to RPs (Destination) |
IP-address: 127.0.0.1 AuthnRequest: ID: id469275331fcb46e487a9c9dbeec1ed8f IssueInstant: 2011-09-23T15:07:34.0511250Z Destination: https://identify1.safewhere.local/runtime/saml2/issue.idp IsPassive: false Issuer: https://spdemo.safewhere.local/ AudienceRestriction: https://spdemo.safewhere.local/ |
| 303 | Login request
This event is generated when Identify acts as a Relying Party and it receives a login request then forwards this to IdP (Destination). Some additional information is provided as well: IP-address, time stamp [IssueInstant] |
IP-address: 127.0.0.1 AuthnRequest: ID: id1775e0696210459f8007bfa9f9a4e04a IssueInstant: 2011-08-16T16:19:43.0078125Z Destination: https://fed.safewhere.local/adfs/ls/ IsPassive: false Issuer: https://identify1.safewhere.local/runtime/ AudienceRestriction: https://identify1.safewhere.local/runtime/ |
| 304 | Authentication info
This event is generated when Identify Runtime selects the connection to process login request with information about the connectionID in DB (SelectedAuthnConnectionId) and corresponding URL (rawURL) |
IP-address: 127.0.0.1 SelectedAuthnConnectionId: 2a5e4c05-37c4-4108-a4dc-239wer23eccc3 rawUrl: https://identify1.safewhere.local:443/runtime/usernamepasswordauth/login.idp |
| 305 | Login authentication result info
This event is generated to indicate whether the authentication is successful (True) or not (False) |
AuthenticationSucceeded: True |
| 306 | Login Authentication response info
This event is generated with some information about Security Token life time and some additional information for Saml2 protocol. There may be two events having same Instance Ids as mentioned on the top of the table |
RequestSecurityTokenResponse: ReplyTo: https://identify1.safewhere.local/admin/ Lifetime: Created: 2011-09-22T03:42:14.9109219Z Expires: 2011-09-22T04:42:14.9109219Z AppliesTo: https://identify1.safewhere.local/admin/ NotBefore: 2011-09-22T03:42:14.9109219Z NotOnOrAfter: 2011-09-22T04:42:14.9109219Z Audience: https://identify1.safewhere.local/admin/
Instance Id: 185222df-9795-470f-9f12-d0348168c3b8 IP-address: 127.0.0.1 Assertion: ID: idaf71f6366983437b8bc6ef2f211e043e IssueInstant: 2011-09-23T16:18:00.0706563Z Issuer: https://identify1.safewhere.local/runtime/ InResponseTo: id143ab70d4b1145099dc9b8184653fd7a NotBefore: 2011-09-23T16:28:00.0716328Z NotOnOrAfter: 2011-09-23T17:18:00.0726094Z Recipient: https://spdemo.safewhere.local/
Instance Id: 185222df-9795-470f-9f12-d0348168c3b8 AudienceRestriction: https://spdemo.safewhere.local/ AuthnInstant: 2011-09-23T16:18:00.0726094Z SessionIndex: 1532239041 SessionNotOnOrAfter: NameId: admin NameIdFormat: urn:oasis:names:tc:SAML:2.0:nameid-format:persistent RequestSecurityTokenResponse: ReplyTo: https://identify1.safewhere.local/admin/ Lifetime: Created: 2011-09-23T15:34:18.4026875Z Expires: 2011-09-23T16:34:18.4026875Z AppliesTo: https://identify1.safewhere.local/admin/ NotBefore: 2011-09-23T15:34:18.4026875Z NotOnOrAfter: 2011-09-23T16:34:18.4026875Z Audience: https://identify1.safewhere.local/admin/
|
| 307 | Login final request info This event is generated with some information about Security Token life time and some additional information for Saml2 protocol. There may be two events having same Instance Ids as mentioned at the top of the table. |
Instance Id: eea4ca09-52b3-490e-ac03-2938e9f2a5ce IP-address: 192.168.127.1 Assertion: ID: _0b0f35d5-9d43-44e5-a2de-0fb32511d97e IssueInstant: 2011-08-17T03:23:32.3880000Z Issuer: http://fed.safewhere.local/adfs/services/trust InResponseTo: id23d3d39c380c4c54b109d15b21be1f25 NotBefore: 2011-08-17T03:23:32.1340000Z NotOnOrAfter: 2011-08-17T04:23:32.1340000Z Recipient: https://identify1.safewhere.local/runtime/saml2auth/consume.idp |
| 400 | Login authentication user info.
This event is generated when Identify Runtime (IdP) receives the user login info. At this point it is the user name which is received. |
UserName: admin |
| 500 | Claim information.
Generated with request claim(s) info. |
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name: admin |
| 501 | Claim information.
Generated with response claim(s) info. |
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name: admin http://schemas.microsoft.com/ws/2008/06/identity/claims/role: ClaimAdmin,ConnectionAdmin,OrganizationAdmin,UserAdmin |
| 600 | Signature info.
Generated with certificates info. |
Signature: <xenc:EncryptedData Type=”http://www.w3.org/2001/04/xmlenc#Element” xmlns:xenc=”http://www.w3.org/2001/04/xmlenc#”><xenc:EncryptionMethod Algorithm=”http://www.w3.org/2001/04/xmlenc#aes256-cbc” /><KeyInfoxmlns=”http://www.w3.org/2000/09/xmldsig#”><e:EncryptedKey xmlns:e=”http://www.w3.org/2001/04/xmlenc#”><e:EncryptionMethod Algorithm=”http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p”><DigestMethod Algorithm=”http://www.w3.org/2000/09/xmldsig#sha1″ /></e:EncryptionMethod><KeyInfo><o:SecurityTokenReference xmlns:o=”http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd”><X509Data><X509IssuerSerial><X509IssuerName>CN=Safewhere CA, DC=safewhere, DC=net</X509IssuerName><X509SerialNumber>21231109489652623217</X509SerialNumber></X509IssuerSerial></X509Data></o:SecurityTokenReference></KeyInfo><e:CipherData><e:CipherValue>GS7Vzt4HfpsBdEx/v…….Er7rRMMjTBC8uozf3P300t09BIh+uo</xenc:CipherValue></xenc:CipherData></xenc:EncryptedData> |
| 330 | Logout initial request.
This event is generated when a Relying Party sends a logout request to Identify. It contains information about requestor (IP-address, time stamp [IssueInstant], Issuer, AudienceRestriction) and Identify’s main endpoint which receives requests from RPs and also is where responses are sent back to RPs (Destination). |
IP-address: 127.0.0.1 Action: wsignout1.0 BaseUri: https://identify1.safewhere.local/runtime/WSFederation/WSFederation.idp Reply: https://identify1.safewhere.local/admin/UserAdministration/MyProfileDetail.aspx wa: wsignout1.0 wreply: https://identify1.safewhere.local/admin/UserAdministration/MyProfileDetail.aspx
IP-address: 127.0.0.1 LogoutRequest: ID: id8f4577743bda4fcfb0eea67ad27cc225 IssueInstant: 2011-08-16T15:29:56.2636718Z Destination: https://identify1.safewhere.local/runtime/saml2/issue.idp Issuer: https://spdemo.safewhere.local/ Reason: urn:oasis:names:tc:SAML:2.0:logout:user NameId: admin NameIdFormat: urn:oasis:names:tc:SAML:2.0:nameid-format:persistent SessionIndex: 1979239448 |
| 331 | Logout request.
This event is generated when Identify acts as a Relying Party and it receives a logout request then forwards this to IdP (Destination). Some additional information provided as well: IP-address, time stamp [IssueInstant]. |
IP-address: 192.168.127.1 LogoutRequest: ID: id02ac0e0e0d77437f85255749d4552a0a IssueInstant: 2011-08-17T15:43:33.6142578Z Destination: https://fed.safewhere.local/adfs/ls/ Issuer: https://identify1.safewhere.local/runtime/ Reason: NameId: Administrator@globeteam.org NameIdFormat: urn:oasis:names:tc:SAML:2.0:nameid-format:persistent SessionIndex: _45cc26ee-3b07-4d75-a33b-1f2b90ed084a |
| 332 | Logout response.
This event is only generated when Identify acts as a Saml2 Relying Party and it receives a logout response from the IdP (Issuer). |
IP-address: 192.168.127.1 LogoutResponse: ID: _8bc5f635-ec50-4ca5-a7d7-726250992c44 IssueInstant: 2011-08-17T15:43:35.9950000Z Destination: https://identify1.safewhere.local/runtime/saml2auth/signoffresponse.idp Issuer: http://fed.safewhere.local/adfs/services/trust InResponseTo: id02ac0e0e0d77437f85255749d4552a0a StatusCode: urn:oasis:names:tc:SAML:2.0:status:Success |
| 333 | Logout final response.
This event is generated when all logout responses have been successful (and Identify IdP sends the final logout response to the SP who initiates logout). |
IP-address: 127.0.0.1 Action: wsignout1.0 BaseUri: https://identify1.safewhere.local/runtime/WSFederation/WSFederation.idp Reply: https://identify1.safewhere.local/admin/UserAdministration/MyProfileDetail.aspx wa: wsignout1.0 wreply: https://identify1.safewhere.local/admin/UserAdministration/MyProfileDetail.aspx
IP-address: 127.0.0.1 LogoutResponse: ID: id38028abd77884e588b09ecf911196b86 IssueInstant: 2011-09-23T17:30:37.0735860Z Destination: https://spdemo.safewhere.local/logout.ashx Issuer: https://identify1.safewhere.local/runtime/ InResponseTo: id28003f34a8fb42c68c4fa5ab198cf946 StatusCode: urn:oasis:names:tc:SAML:2.0:status:Success |