SAML audit log

View your users' successful and failed sign-ins to SAML applications

This feature is available with G Suite Enterprise, Business, Basic, Education, and G Suite Essentials edition. (Compare editions.) It's also available with Cloud Identity Premium.

You can track your users' successful and failed sign-ins to SAML applications using the SAML audit log. Entries usually appear within an hour of the user action.

Open the SAML audit log

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Reports.
  3. On the left, under Audit, click SAML.
  4. (Optional) To customize what you review, on the right, click Manage columns Manage columns, select the columns that you want to see or hide, and click Save.

Data you can view

If you move from the G Suite Business or Enterprise edition to G Suite Basic, the audit log stops collecting data on new events. However, old data is still visible to administrators.

Data type Description
Event Name The action that was logged.
Successful login Each time a user successfully logged in.
Failed login Each time a user had a failed login attempt.
Failure Type A series of Failure Type entries that only display after a user has a failed login attempt.
Application not configured Each time a user login failed because the application was not configured for the user. This application is not configured properly in Google’s Admin console. As administrator, validate that the configuration (including the Entity ID of the application) is configured correctly.
Application not enabled for user Each time a user login failed because the application was not enabled for the user. As administrator, you need to turn this application “ON” from the Admin console.
Invalid name ID mapping Each time a user login failed because an invalid name ID mapping was requested. There is a mismatch between the NAMEID parameter in the SP application and the one in the Admin console. As administrator, you should check that the schema still exists and reconfigure the NAMEID mapping for the application.
Name ID mapping unavailable Each time a user login failed because the name ID mapping was unavailable. The mapped attribute for NAMEID mapping could not be found. As administrator, you should check that the schema still exists and reconfigure the NAMEID mapping for the application.
Invalid service provider ID Each time a user login failed because the service provider ID was invalid. Check that your configuration on the service provider side matches the app-id field configured in Admin console. Ensure that the SP ID being passed in the request URL is the same as the app-id.
Bad request< Each time a user login failed because a request was malformed or the ACS URL in the request does not match the one configured in the Admin console. Check that the ACS URL configured for the service provider is correct.
Passive authentication failed Each time a user login failed because the system failed to passively authenticate the user. The user could not be logged into the identity provider (IdP). Sign back in to the IdP from your browser.
User is unauthorized Each time a user login failed because a request was denied. The user is not authorized. Check if the application is enabled for the user.
Unknown< Each time a user login failed for an unknown reason.
Event description The details of the event described in the Event name field. A failed login entry includes the failure reason.
User name The email address or name of the user who triggered the event.
Organization name The name of the organization to which the user who triggered the event belongs.
Initiated by The provider who initiated the event. Can be IdP or service provider.
Application Name The name of the application as configured by the administrator that initiated the event.
IP Address     The internet protocol (IP) address used by the user to sign in to the SAML application. This might reflect the user's physical location, but not necessarily. For example, it could instead be a proxy server or a virtual private network (VPN) address.
Date and time range The date and time the event occurred (displayed in your browser's default time zone).

When and how long is data available?

See Data retention and lag times.

Related topics

Was this helpful?
How can we improve it?