SAML log events

Audit and investigation page: View sign-ins to SAML applications
The audit log page has been replaced with a new audit and investigation page. For information about this change, go to Improved audit and investigation experience: What's new in Google Workspace

You can use the audit and investigation page to run searches related to SAML log events. There you can view a record of actions to track your users' successful and unsuccessful sign-ins to SAML applications. Entries usually appear within an hour of the user action.

For a full list of services and activities that you can investigate, such as Google Drive or user activity, read through the data sources for the audit and investigation page.

Forward log event data to Google Cloud

Supported editions for this feature: Enterprise Standard and Enterprise Plus; Education Standard and Education Plus, Voice Premier.  Compare your edition

You can opt in to share the log event data with Google Cloud. If you turn on sharing, data is forwarded to Cloud Logging, where you can query and view your logs, and control how you route and store your logs.

Open the audit and investigation page

Access SAML log event data

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. On the left, click Reportingand thenAudit and investigationand thenSAML log events.

Filter the data

  1. Open the log events as described above in Access SAML log event data.
  2. Click Add a filter, and then select an attribute.
  3. In the pop-up window, select an operatorand thenselect a valueand thenclick Apply.
  4. (Optional) To create multiple filters for your search:
    1. Click Add a filter and repeat step 3.
    2. (Optional) To add a search operator, above Add a filter, select AND or OR.
  5. Click Search.

Note: Using the Filter tab, you can include simple parameter and value pairs to filter the search results. You can also use the Condition builder tab, where the filters are represented as conditions with AND/OR operators.

Attribute descriptions

For this data source, you can use the following attributes when searching log event data:

Attribute Description
Actor Email address of the user who performed the action
Actor group name

Group name of the actor. For more information, see Filtering results by Google Group.

To add a group to your filtering groups allowlist:

  1. Select Actor group name.
  2. Click Filtering groups.
    The Filtering groups page displays.
  3. Click Add Groups.
  4. Search for a group by entering the first few characters of its name or email address. When you see the group you want, select it.
  5. (Optional) To add another group, search for and select the group.
  6. When you finish selecting groups, click Add.
  7. (Optional) To remove a group, click Remove group "".
  8. Click Save.
Actor organizational unit Organizational unit of the actor
Application name The SAML application that initiated the event
Date The date and time the event occurred (displayed in your browser's default time zone)
Event Two types of events are logged: Successful and failed sign-in attempts
Failure type For failed sign-in attempts, a failure type is displayed. Go to Failure types and solutions below for details. 
Initiated by The provider who initiated the event. Can be the identity provider or the service provider.
IP address     The internet protocol (IP) address used by the user to sign in to the SAML application. This might reflect the user's physical location, but not necessarily. For example, it could instead be a proxy server or a virtual private network (VPN) address.
Response second level status Status information about the success or failure of the SAML request. For details on status codes, go to SAML v2.0 Core, Section 3.2.2.2.
Response status Status information about the success or failure of the SAML request. For details on status codes, go to SAML v2.0 Core, Section 3.2.2.2.

Filter data by failure type

  1. Open the log events as described above in Access SAML log event data.
  2. Click Add a filterand thenFailure type.
  3. From the drop down list, select an option.
  4. Click Apply.

Failure types and solutions

The following failure types are recorded in the log events:

Failure type Solution
Application not configured Verify that the service provider settings (including the Entity ID) are configured correctly in the Admin console
Application not enabled for user In the User access section of the the app's settings page in Admin console, verify that the application is ON for the organization that contains the user
Bad request The request was malformed, or the ACS URL in the request does not match the one configured in Admin console. Check that the ACS URL configured for the service provider is correct.
Invalid name ID mapping There is a mismatch between the NAMEID parameter in the application and the one configured in the app's settings in the Admin console. Check that the schema still exists and reconfigure the NAMEID mapping for the application.
Invalid service provider ID Check that the configuration on the service provider side matches the app-id field configured in Admin console. Ensure that the SP ID being passed in the request URL is the same as the app-id.
Name ID mapping unavailable The mapped attribute for NAMEID mapping could not be found. As administrator, check that the schema still exists and reconfigure the NAMEID mapping for the application.
Passive authentication failed The user could not be logged into the identity provider (IdP). Sign back in to the IdP from your browser.
Unknown Login failed for an unknown reason
User is unauthorized Verify that the application is ON for the organization or group that contains the user

Manage log event data

Manage search results column data

You can control which data columns appear in your search results.

  1. At the top-right of the search results table, click Manage columns "".
  2. (Optional) To remove current columns, click Remove "".
  3. (Optional) To add columns, next to Add new column, click the Down arrow "" and select the data column.
    Repeat as needed.
  4. (Optional) To change the order of the columns, drag the data column names.
  5. Click Save.

Export search result data

  1. At the top of the search results table, click Export all.
  2. Enter a name and then click Export.
    The export displays below the search results table under Export action results.
  3. To view the data, click the name of your export.
    The export opens in Google Sheets.

Create reporting rules

Go to Create and manage reporting rules.

When and how long is data available?

Go to Data retention and lag times.

Related topics

Was this helpful?
How can we improve it?

Need more help?

Sign in for additional support options to quickly solve your issue

true
Start your free 14-day trial today

Professional email, online storage, shared calendars, video meetings and more. Start your free Google Workspace trial today.

Search
Clear search
Close search
Google apps
Main menu
true
Search Help Center
true
true
true
true
true
73010