Depending on your Google Workspace edition, you might have access to the security investigation tool, which has more advanced features. For example, super admins can identify, triage, and take action on security and privacy issues. Learn more
As your organization's administrator, you can run searches and take action on SAML log events. For example, you can view a record of actions to track your users' successful and unsuccessful sign-ins to SAML applications. Entries usually appear within an hour of the user action.
Forward log event data to Google Cloud
You can opt in to share log event data with Google Cloud. If you turn on sharing, data is forwarded to Cloud Logging where you can query and view your logs and control how you route and store your logs.
The type of log event data you can share with Google Cloud depends on your Google Workspace, Cloud Identity, or Essentials account.
Run a search for log events
Your ability to run a search depends on your Google edition, your administrative privileges, and the data source. You can run a search on all users, regardless of their Google Workspace edition.
Attribute descriptions
For this data source, you can use the following attributes when searching log event data:
Attribute | Description |
---|---|
Actor | Email address of the user who performed the action |
Actor group name |
The group name of the actor. For more information, go to Filtering results by Google Group. To add a group to your filtering groups allowlist:
|
Actor organizational unit | Organizational unit of the actor |
Application name | The SAML application that initiated the event |
Date | The date and time the event occurred (displayed in your browser's default time zone) |
Event | Two types of events are logged: Successful and failed sign-in attempts |
Failure type | For failed sign-in attempts, a failure type is displayed. Go to Failure types and solutions below for details. |
Initiated by | The provider who initiated the event. Can be the identity provider or the service provider. |
IP address | The internet protocol (IP) address used by the user to sign in to the SAML application. This might reflect the user's physical location, but not necessarily. For example, it could instead be a proxy server or a virtual private network (VPN) address. |
Response second level status | Status information about the success or failure of the SAML request. For details on status codes, go to SAML v2.0 Core, Section 3.2.2.2. |
Response status | Status information about the success or failure of the SAML request. For details on status codes, go to SAML v2.0 Core, Section 3.2.2.2. |
Filter data by failure type
- Open the log events as described above.
- Click Add a filter
Failure type as described above in Run a search for log events.
- From the drop down list, select an option.
- Click Apply.
Failure types and solutions
The following failure types are recorded in the log events:
Manage log event data
Take action based on search results
Manage your investigations
Supported editions for this feature: Frontline Standard and Frontline Plus; Enterprise Standard and Enterprise Plus; Education Standard and Education Plus; Enterprise Essentials Plus; Cloud Identity Premium. Compare your edition