SAML audit log

View your users' successful and failed logins to SAML applications

This feature is available with G Suite Enterprise, Business, Basic, Education, and Drive Enterprise edition. (Compare editions.) It's also available with Cloud Identity Premium.

You can track your users' successful and failed logins to SAML applications using the SAML audit log. Entries usually appear within an hour of the user action.

Note: For details on when log data becomes available and how long it's retained, see Data retention and lag times.

Step 1: Open your SAML audit log

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Reports.

    To see Reports, you might have to click More controls at the bottom.

  3. On the left, under Audit, click SAML.
  4. (Optional) Next to the columns, click Manage columns Manage columns and select the columns that you want to see or hide.

Step 2: Understand SAML audit log data

If you move from the G Suite Business or Enterprise edition to G Suite Basic, the audit log stops collecting data on new events. However, old data is still visible to administrators.

Data you can view
Data Type Description
Event Name The action that was logged.
  • Successful login
 A log entry for each time a user successfully logged in.
  • Failed login
 A log entry for each time a user had a failed login attempt.

Failure Type

 A series of Failure Type entries that only display after a user has a failed login attempt.
  • Application not configured
 A log entry for each time a user login failed because the application was not configured for the user. This application is not configured properly in Google’s Admin console. As administrator, validate that the configuration (including the Entity ID of the application) is configured correctly.
  • Application not enabled for user
 A log entry for each time a user login failed because the application was not enabled for the user. As administrator, you need to turn this application “ON” from the Admin console.
  • Invalid name ID mapping
 A log entry for each time a user login failed because an invalid name ID mapping was requested. There is a mismatch between the NAMEID parameter in the SP application and the one in the Admin console. As administrator, you should check that the schema still exists and reconfigure the NAMEID mapping for the application.
  • Name ID mapping unavailable
 A log entry for each time a user login failed because the name ID mapping was unavailable. The mapped attribute for NAMEID mapping could not be found. As administrator, you should check that the schema still exists and reconfigure the NAMEID mapping for the application.
  • Invalid service provider ID
 A log entry for each time a user login failed because the service provider ID was invalid. Check that your configuration on the service provider side matches the app-id field configured in Admin console. Ensure that the SP ID being passed in the request URL is the same as the app-id.
  • Bad request
 A log entry for each time a user login failed because a request was malformed or the ACS URL in the request does not match the one configured in the Admin console. Check that the ACS URL configured for the service provider is correct.
  • Passive authentication failed
 A log entry for each time a user login failed because the system failed to passively authenticate the user. The user could not be logged into the identity provider (IdP). Sign back in to the IdP from your browser.
  • User is unauthorized
 A log entry for each time a user login failed because a request was denied. The user is not authorized. Check if the application is enabled for the user.
  • Unknown
 A log entry for each time a user login failed for an unknown reason.
Event description The details of the event described in the Event name field. A failed login entry includes the failure reason.
User name The email address or name of the user who triggered the event.
Organization name The name of the organization to which the user who triggered the event belongs.
Initiated by Which provider initiated the event. Can be IdP or service provider.
Application Name The name of the application as configured by the administrator that initiated the event.
IP Address     The internet protocol (IP) address used by the user to sign in to the SAML application. This might reflect the user's physical location, but not necessarily. For example, it could instead be a proxy server or a virtual private network (VPN) address.
Date and time range The date and time the event occurred (displayed in your browser's default time zone).

Step 3: Customize and export your audit log data

Filter the audit log data by user or activity

You can narrow your audit log to show specific events or users. For example, find all log events for when a user login failed because the application was not configured for the user.

  1. Open your SAML audit log as shown above.
  2. Click Add a filter.
  3. Select and enter the criteria for your filter and if needed, click Apply.
  4. (Optional) To filter by organizational unit, at the top right, click Organization filter, select the organizational unit, and click Apply.
  5. (Optional) To specify a date range to search, click Date range and select a period from the list or enter a start and end date and time. If needed, click Apply.

Filter by organizational unit

You can filter by organizational unit to compare statistics between child organizations in a domain.

  1. Open your audit log as shown above.
  2. At the top, click Organization filter.
  3. Select an organizational unit and click Apply.

Filter by date

  1. Open your report as shown above.
  2. At the top, click Date range.
  3. Select a period from the list or enter a start and end date and time.
  4. If needed, click Apply.

Export your audit log data

You can export your audit log data to Google Sheets or download it to a CSV file.

  1. Open your audit log as shown above.
  2. (Optional) To change the data to include in your export, click Manage columns Manage columns, select or remove the columns that you want to export, and click Save.
  3. Click Download Download.
  4. Under Select columns, click Currently selected columns or All columns.
  5. Under Select format, click Google Sheets or comma-separated values (CSV).
  6. Click Download.

You can export a maximum of 100,000 rows to Sheets or CSV.

How old is the data I'm seeing?

For details on exactly when data becomes available and how long it's retained, see Data retention and lag times.

Step 4: Set up email alerts

You can easily track specific SAML activities by setting up alerts. For example, get an alert whenever a user login fails because a request was denied.

  1. Open your audit log as shown above.
  2. Click Add a filter.
  3. Enter or select the criteria for your filter and click Create Alert.
  4. Enter a name for the alert.
  5. (Optional) To send the alert to all super administrators, under Recipients, click Turn on Turn on.
  6. Enter the email addresses of alert recipients.
  7. Click Create.

To edit your custom alerts, see Administrator email alerts.

Was this helpful?
How can we improve it?