SAML audit log

View your users' successful and failed logins to SAML applications

This feature is available with G Suite Enterprise, Business, Basic, Education, and Drive Enterprise edition. (Compare editions.) It's also available with Cloud Identity Premium.

As your organization's administrator, you can track your users' successful and failed logins to SAML applications using the SAML audit log. Entries usually appear within an hour of the user action.

Step 1: Open your SAML audit log

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Reports.

    To see Reports, you might have to click More controls at the bottom.

  3. On the left, under Audit, click SAML.
  4. On the toolbar, click Select columns Select columns. Then select the data you want to show in your log.
  5. See below for how to interpret and customize log data.

Step 2: Understand SAML audit log data

If you move from the G Suite Business or Enterprise edition to G Suite Basic, the audit log stops collecting data on new events. However, old data is still visible to administrators.

Data Type Description
Event Name The action that was logged.
  • Successful login
 A log entry for each time a user successfully logged in.
  • Failed login
 A log entry for each time a user had a failed login attempt.

Failure Type

 A series of Failure Type entries that only display after a user has a failed login attempt.
  • Application not configured
 A log entry for each time a user login failed because the application was not configured for the user. This application is not configured properly in Google’s Admin Console. As administrator, validate that the configuration (including the Entity ID of the application) is configured correctly.
  • Application not enabled for user
 A log entry for each time a user login failed because the application was not enabled for the user. As administrator, you need to turn this application “ON” from the Admin Console.
  • Invalid name ID mapping
 A log entry for each time a user login failed because an invalid name ID mapping was requested. There is a mismatch between the NAMEID parameter in the SP application and the one in the Admin Console. As administrator, you should check that the schema still exists and reconfigure the NAMEID mapping for the application.
  • Name ID mapping unavailable
 A log entry for each time a user login failed because the name ID mapping was unavailable. The mapped attribute for NAMEID mapping could not be found. As administrator, you should check that the schema still exists and reconfigure the NAMEID mapping for the application.
  • Invalid service provider ID
 A log entry for each time a user login failed because the service provider ID was invalid. Check that your configuration on the service provider side matches the app-id field configured in Admin Console. Ensure that the SP ID being passed in the request URL is the same as the app-id.
  • Bad request
 A log entry for each time a user login failed because a request was malformed or the ACS URL in the request does not match the one configured in the Admin Console. Check that the ACS URL configured for the service provider is correct.
  • Passive authentication failed
 A log entry for each time a user login failed because the system failed to passively authenticate the user. The user could not be logged into the Identity Provider. Relogin into the Identity Provider from your browser.
  • User is unauthorized
 A log entry for each time a user login failed because a request was denied. The user is not authorized. Check if the application is enabled for the user.
  • Unknown
 A log entry for each time a user login failed for an unknown reason.
Event description The details of the event described in the Event name field.  A Failed login entry includes the failure reason.
User name The email address or name of the user who triggered the event.
Organization name The name of the organization to which the user who triggered the event belongs.
Initiated by Which provider initiated the event. Can be Identity Provider or Service Provider.
Application Name The name of the application as configured by the administrator that initiated the event.
IP Address     The internet protocol (IP) address used by the user to sign in to the SAML application. This might reflect the user's physical location, but not necessarily. For example, it could instead be a proxy server or a virtual private network (VPN) address.
Date and time range The date and time the event occurred (displayed in your browser's default timezone).

Step 3: Customize and export your audit log data

Filter the audit log data by user or activity

You can narrow your audit log to show specific events or users. For example, find all log events for when a user login failed because the application was not configured for the user.

  1. Open your SAML audit log as shown above.
  2. If you don't see the Filters section, click Filter Filter.
  3. Enter or select the criteria for your filter. You can filter on any combination of the data you can view in the log.
  4. Click Search.

Filter by organizational unit

You can filter by organizational unit to compare statistics between child organizations in a domain.

  1. Open your report as shown above.
  2. On the left, under Filters, select an organizational unit from the list.

You can only filter the current organization hierarchy, even when searching for older data. Data before December 20, 2018 will not appear in the filtered results.

Export your audit log data

You can export your audit log data to Google Sheets or download it to a CSV file.

  1. Open your audit log as shown above.
  2. (Optional) To change the data to include in your export:
    1. On the toolbar, click Select columns Select columns.
    2. Check the box next to the data you want to export and click Apply.
  3. On the toolbar, click Download Download.

You can export up to 210,000 cells. The maximum number of rows depends on the number of columns you select. Audit logs to Sheets are limited to 10,000 rows, while CSV exports can include up to 500,000 rows.

How old is the data I'm seeing?

For details on exactly when data becomes available and how long it's retained, see Data retention and lag times.

Step 4: Set up email alerts

You can easily track specific SAML activities by setting up alerts. For example, get an alert whenever a user login fails because a request was denied.

  1. Open your SAML audit log as shown above.
  2. If you don't see the Filters section, click Filter Filter.
  3. Enter or select the criteria for your filter. To set up an alert, you can filter on any combination of the data you can view in the log except date and time range.
  4. Click Set Alert.
  5. In the Set alert: SAML box, enter a name for the alert.
  6. Check the box to deliver the alert to the account super administrators.
  7. Enter the email addresses of any other alert recipients.
  8. Click Save.

To edit your custom alerts, see Administrator email alerts.

Was this helpful?
How can we improve it?