You can track your users' successful and failed sign-ins to SAML applications using the SAML audit log. Entries usually appear within an hour of the user action.
Open the SAML audit log
-
Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
-
From the Admin console Home page, go to Reports.
- On the left, under Audit log, click SAML.
-
(Optional) To customize what data you see, on the right, click Manage columns
. Select the columns that you want to see or hide
click Save.
-
(Optional) Review ways to filter and export log data and create alerts.
Data you can view
The SAML audit log provides the following information:
Data type | Description |
---|---|
Event description | The details of the event described in the Event name field |
Event name | Two types of events are logged: Successful logins and failed login attempts |
User | The email address or name of the user who triggered the event |
Application name | The SAML application that initiated the event |
Organization name | The user's organization |
Initiated by | The provider who initiated the event. Can be the identity provider or the service provider. |
Failure type | For failed login attempts, a failure type is displayed. Go to Failure types below for details. |
Response status/ second level status |
Status information about the success or failure of the SAML request. For details on status codes, go to SAML v2.0 Core, Section 3.2.2.2. |
IP address | The internet protocol (IP) address used by the user to sign in to the SAML application. This might reflect the user's physical location, but not necessarily. For example, it could instead be a proxy server or a virtual private network (VPN) address. |
Date | The date and time the event occurred (displayed in your browser's default time zone) |
Failure types and solutions
The following failure types are recorded in the audit log:
Filter log by event name or failure type
- Click Add a filter.
- Click Event name.
- Choose either Failed login or Successful login.
- (Optional) For Failed login, you can also choose a Failure type filter.
- Click Apply.
The audit log shows entries for each time the particular event occurred during the time range that you set.
When and how long is data available?
Go to Data retention and lag times.