Skip to content

Authentication Audit

Authentication Audit

The Authentication audit provides a trail of all attempts by users (or service accounts) to prove their identity. This authentication process can have multiple steps, depending on authentication rules and upstream identity providers.

Not all stages will have all fields available. Each step has a timestamp (in UTC), an ‘Email’ (user), ‘Source IP’, Stage, Event, and Application Name (authentication client).

Authentication audits are also available via the API where additional columns may be extracted.

user_id: stringThe system-local id of the user performing the action.
upstream_user_id: stringThe id of the user in the upstream system, if available.
org_id: stringThe id of the organisation of the issuer against which the user is authenticating.
org_name: stringThe name of the organisation of the issuer against which the user is authenticating.
time: date-timethe time at which the record was generated.
event: stringThe event which generated the record. The meaning of the event depends on the stage where it occured.
source_ip: stringThe IP address of the host initiating the action
token_id: stringThe id of the token issued or reissued as part of the authentication.
trace_id: stringA correlation ID associated with requests related to this event
session: stringThe session associated with tokens related to this event. This can be used to tie the actions undertaking by requests bearing tokens with the same session back to the authentication events which created the tokens.
issuer: stringThe issuer the user logged in to.
client_id: stringThe client id of the web application, client, etc. that the user is logging in with. Note that this is not the id of the IssuerClient, but rather the id presented to the authentication system to identify that client. This corresponds to name in the IssuerClient.
application_name: stringThe name of the application within the system the user is logging in to.
login_org_id: stringThe id of the organisation that the user is logging in to. Note that this is disctinct from the org_id field, which is tied to the issuer. This id is tied to the application.
login_org_name: stringThe name of the organisation that the user is logging in to. This corresponds to login_org_id.
upstream_idp: stringThe name of the identity provider proving the identity of the user.
stage: stringThe stage of the login process. This identifies where in the pipeline the event was generated.
user_agent: stringThe user agent of the client used to perform the login.