Google Workspace Admin

SAML audit log

View your users' successful and failed sign-ins to SAML applications

You can track your users' successful and failed sign-ins to SAML applications using the SAML audit log. Entries usually appear within an hour of the user action.

Forward log event data to the Google Cloud Platform

Supported editions for this feature: Enterprise; Education Standard and Plus, Voice Premier.  Compare your edition

You can opt in to share the log event data with Google Cloud Platform. If you turn on sharing, data is forwarded to Cloud Logging, where you can query and view your logs, and control how you route and store your logs.

Open the SAML audit log

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Reports.
  3. On the left, click Auditand thenSAML.

  4. (Optional) To customize what data you see, on the right, click Manage columns "". Select the columns that you want to see or hideand thenclick Save.

  5. (Optional) Review ways to filter and export log data and create alerts.

Data you can view

The SAML audit log provides the following information:

Data type Description
Event description The details of the event described in the Event name field
Event name Two types of events are logged: Successful logins and failed login attempts
User The email address or name of the user who triggered the event
Application name The SAML application that initiated the event
Organization name The user's organization
Initiated by The provider who initiated the event. Can be the identity provider or the service provider.
Failure type For failed login attempts, a failure type is displayed. Go to Failure types below for details. 
Response status/
second level status		 Status information about the success or failure of the SAML request. For details on status codes, go to SAML v2.0 Core, Section 3.2.2.2.
IP address     The internet protocol (IP) address used by the user to sign in to the SAML application. This might reflect the user's physical location, but not necessarily. For example, it could instead be a proxy server or a virtual private network (VPN) address.
Date The date and time the event occurred (displayed in your browser's default time zone)
Device ID Device ID of devices that sign in to SAML apps with a Context-Aware Access device policy enforced. Use Device ID to view device details for mobile and desktop devices.

Failure types and solutions

The following failure types are recorded in the audit log:

Failure type Solution
Application not configured Verify that the service provider settings (including the Entity ID) are configured correctly in the Admin console
Application not enabled for user In the User access section of the the app's settings page in Admin console, verify that the application is ON for the organization that contains the user
Invalid name ID mapping There is a mismatch between the NAMEID parameter in the application and the one configured in the app's settings in the Admin console. Check that the schema still exists and reconfigure the NAMEID mapping for the application.
Name ID mapping unavailable The mapped attribute for NAMEID mapping could not be found. As administrator, check that the schema still exists and reconfigure the NAMEID mapping for the application.
Invalid service provider ID Check that the configuration on the service provider side matches the app-id field configured in Admin console. Ensure that the SP ID being passed in the request URL is the same as the app-id.
Bad request The request was malformed, or the ACS URL in the request does not match the one configured in Admin console. Check that the ACS URL configured for the service provider is correct.
Passive authentication failed The user could not be logged into the identity provider (IdP). Sign back in to the IdP from your browser.
User is unauthorized Verify that the application is ON for the organization or group that contains the user
Unknown Login failed for an unknown reason

Filter log by event name or failure type

  1. Click Add a filter.
  2. Click Event name.
  3. Choose either Failed login or Successful login.
  4. (Optional) For Failed login, you can also choose a Failure type filter.
  5. Click Apply.

The audit log shows entries for each time the particular event occurred during the time range that you set. 

When and how long is data available?

Go to Data retention and lag times.

Related topics

Was this helpful?
How can we improve it?

Need more help?

Sign in for additional support options to quickly solve your issue

true
' data-mime-type=
Start your free 14-day trial today

Professional email, online storage, shared calendars, video meetings and more. Start your free Google Workspace trial today.

Search
Clear search
Close search
Google apps
Main menu
Search Help Center
true
73010
false