Pagina pe care ați solicitat-o nu este disponibilă în limba dvs. Puteți să selectați altă limbă din partea de jos a paginii sau să traduceți instantaneu orice pagină web în limba dorită folosind funcția încorporată de traducere din Google Chrome.

SAML log events

View sign-ins to SAML applications

Depending on your Google Workspace edition, you might have access to the security investigation tool, which has more advanced features. For example, super admins can identify, triage, and take action on security and privacy issues. Learn more

As your organization's administrator, you can run searches and take action on SAML log events. For example, you can view a record of actions to track your users' successful and unsuccessful sign-ins to SAML applications. Entries usually appear within an hour of the user action.

Forward log event data to Google Cloud

You can opt in to share log event data with Google Cloud. If you turn on sharing, data is forwarded to Cloud Logging where you can query and view your logs and control how you route and store your logs.

The type of log event data you can share with Google Cloud depends on your Google Workspace, Cloud Identity, or Essentials account.

Run a search for log events

Your ability to run a search depends on your Google edition, your administrative privileges, and the data source. You can run a search on all users, regardless of their Google Workspace edition.

Attribute descriptions

For this data source, you can use the following attributes when searching log event data:

Attribute Description
Actor Email address of the user who performed the action
Actor group name

The group name of the actor. For more information, go to Filtering results by Google Group.

To add a group to your filtering groups allowlist:

  1. Select Actor group name.
  2. Click Filtering groups.
    The Filtering groups page appears.
  3. Click Add Groups.
  4. Search for a group by entering the first few characters of its name or email address. When you see the group you want, select it.
  5. (Optional) To add another group, search for and select the group.
  6. When you finish selecting groups, click Add.
  7. (Optional) To remove a group, click Remove group .
  8. Click Save.
Actor organizational unit Organizational unit of the actor
Application name The SAML application that initiated the event
Date The date and time the event occurred (displayed in your browser's default time zone)
Event Two types of events are logged: Successful and failed sign-in attempts
Failure type For failed sign-in attempts, a failure type is displayed. Go to Failure types and solutions below for details. 
Initiated by The provider who initiated the event. Can be the identity provider or the service provider.
IP address     The internet protocol (IP) address used by the user to sign in to the SAML application. This might reflect the user's physical location, but not necessarily. For example, it could instead be a proxy server or a virtual private network (VPN) address.
Response second level status Status information about the success or failure of the SAML request. For details on status codes, go to SAML v2.0 Core, Section 3.2.2.2.
Response status Status information about the success or failure of the SAML request. For details on status codes, go to SAML v2.0 Core, Section 3.2.2.2.

Filter data by failure type

  1. Open the log events as described above.
  2. Click Add a filterand thenFailure type as described above in Run a search for log events.
  3. From the drop down list, select an option.
  4. Click Apply.

Failure types and solutions

The following failure types are recorded in the log events:

Failure type Solution
Application not configured Verify that the service provider settings (including the Entity ID) are configured correctly in the Admin console
Application not enabled for user In the User access section of the the app's settings page in Admin console, verify that the application is ON for the organization that contains the user
Bad request The request was malformed, or the ACS URL in the request does not match the one configured in Admin console. Check that the ACS URL configured for the service provider is correct.
Invalid name ID mapping There is a mismatch between the NAMEID parameter in the application and the one configured in the app's settings in the Admin console. Check that the schema still exists and reconfigure the NAMEID mapping for the application.
Invalid service provider ID Check that the configuration on the service provider side matches the app-id field configured in Admin console. Ensure that the SP ID being passed in the request URL is the same as the app-id.
Name ID mapping unavailable The mapped attribute for NAMEID mapping could not be found. As administrator, check that the schema still exists and reconfigure the NAMEID mapping for the application.
Passive authentication failed The user could not be logged into the identity provider (IdP). Sign back in to the IdP from your browser.
Unknown Login failed for an unknown reason
User is unauthorized Verify that the application is ON for the organization or group that contains the user

Manage log event data

Take action based on search results

Manage your investigations

Supported editions for this feature: Frontline Standard and Frontline Plus; Enterprise Standard and Enterprise Plus; Education Standard and Education Plus; Enterprise Essentials Plus; Cloud Identity Premium. Compare your edition

Was this helpful?

How can we improve it?
true
Start your free 14-day trial today

Professional email, online storage, shared calendars, video meetings and more. Start your free Google Workspace trial today.

Search
Clear search
Close search
Main menu
13612679877250732597
true
Search Help Center
true
true
true
true
true
73010
false
false
false
false