You can track your users' successful and failed sign-ins to SAML applications using the SAML audit log. Entries usually appear within an hour of the user action.
Forward log event data to the Google Cloud Platform
You can opt in to share the log event data with Google Cloud Platform. If you turn on sharing, data is forwarded to Cloud Logging, where you can query and view your logs, and control how you route and store your logs.
From the Admin console Home page, go to Reports.
- On the left, click AuditSAML.
(Optional) To customize what data you see, on the right, click Manage columns . Select the columns that you want to see or hideclick Save.
(Optional) Review ways to filter and export log data and create alerts.
Data you can view
The SAML audit log provides the following information:
|Event description||The details of the event described in the Event name field|
|Event name||Two types of events are logged: Successful logins and failed login attempts|
|User||The email address or name of the user who triggered the event|
|Application name||The SAML application that initiated the event|
|Organization name||The user's organization|
|Initiated by||The provider who initiated the event. Can be the identity provider or the service provider.|
|Failure type||For failed login attempts, a failure type is displayed. Go to Failure types below for details.|
second level status
|Status information about the success or failure of the SAML request. For details on status codes, go to SAML v2.0 Core, Section 22.214.171.124.|
|IP address||The internet protocol (IP) address used by the user to sign in to the SAML application. This might reflect the user's physical location, but not necessarily. For example, it could instead be a proxy server or a virtual private network (VPN) address.|
|Date||The date and time the event occurred (displayed in your browser's default time zone)|
|Device ID||Device ID of devices that sign in to SAML apps with a Context-Aware Access device policy enforced. Use Device ID to view device details for mobile and desktop devices.|
The following failure types are recorded in the audit log:
Filter log by event name or failure type
- Click Add a filter.
- Click Event name.
- Choose either Failed login or Successful login.
- (Optional) For Failed login, you can also choose a Failure type filter.
- Click Apply.
The audit log shows entries for each time the particular event occurred during the time range that you set.
When and how long is data available?
Go to Data retention and lag times.