- 22.02
- Troubleshooting
- SecureAuth IdP / Identity Platform Appliance audit trail event ID list
SecureAuth IdP / Identity Platform Appliance audit trail event ID list
This guide provides definitions for Event ID numbers included in the SecureAuth IdP / SecureAuth® Identity Platform appliance audit log.
Event ID classification
ID No. | IdP component | ID No. | IdP component | ID No. | IdP Component | ||
---|---|---|---|---|---|---|---|
1xxxx | Web Admin Page UI: | 2xxxx | State Process | 6000 | API Layer: Filter | ||
11xxx | Workflow | 3xxxx | Pre Auth | 60xxx | DfpController | ||
12xxx | Data | 4xxxx | Post Auth | 9xxxx | System | ||
13xxx | RegCode | 5xxxx | Provider: | ||||
14xxx | IPsec | 51xxx | Membership Provider | ||||
15xxx | Access | 52xxx | Profile Provider | ||||
16xxx | Password | 53xxx | OTP Provider | ||||
17xxx | License | 54xxx | Certificate Provider | ||||
18xxx | Postauth | 55xxx | Link-to-Accept Provider | ||||
19xxx | Other |
SecureAuth IdP / Identity Platform log ID number definitions
Workflow page
ID No. | Message | Definition |
---|---|---|
20000 | Authenticate the user successfully | Successful authentication |
20100 | CreateControlHierarchy | Security violation |
21000 | Land on login page | User browsed SecureAuth.aspx for login |
21010 | Found user with user name successfully | Result after user typed in username on UI |
21020 | Found user, but the user’s group is not allowed | Result after user typed in username on UI |
21070 | User is not found | Cannot find the user based on username |
21090 | User / Password is invalid | Invalid username or password for username / password on the same page |
22100 | Validate password successfully for public mode | For password on a separate page |
22200 | Validate password successfully for cookie mode | For password on a separate page |
22300 | Validate password successfully | For X509 / iOSDeviceID mode, password on a separate page |
22400 | Validate password successfully for Zombie cookie mode | For password on a separate page |
22500 | Validation of password after successful UBC credential check | For zombie cookie, password on a separate page |
22600 | Validate password successfully for FingerPrint mode | For Fingerprint |
23120 | Personal certificate is found and verified by browser ActiveX component or Java plugin | For checking user’s X.509 certificate |
23310 | The cookie exists or not | For mobile cookie |
23420 | Personal certificate is found and verified by browser ActiveX component or Java plugin | For manually reload Java plugin |
23610 | Verified UBC Credential | For zombie cookie |
23700 | iOS device ID is found | For iOS device |
23810 | Verified FingerPrint Credential | For Browser Attribute(s) |
24000 | Show OTP/PIN/KBA method options | For OTP, PIN, or KBA methods |
24100 | PIN verification succeeds | For PIN method |
24110 | KBA verification succeeds | For KBA method |
24120 | OTP verification succeeds | For OTP method |
24200 | Wrong PIN number attempt | For PIN method |
24210 | Wrong KBA attempt | For KBA method |
24220 | Wrong OTP attempt | For OTP method |
26020 | Deliver a token cookie | For SecureAuth cookie credential |
26110 | Registered UBC Credential | For zombie cookie credential |
26210 | Write iOS Device ID to database (AD) | For iOS Device ID |
26310 | Registered FingerPrint to datastore | For Browser Attribute(s) |
27010 | Registered the root cert | For X.509 certificate |
27310 | Install X509 certificate successfully | For X.509 certificate |
27320 | Installing X509 certificate failed | For X.509 certificate |
27410 | Install X509 certificate successfully | For manually reloading Java-plugin to install X.509 certificate |
29010 | Security violation with message id | Authentication issue |
29000 | Hardstopped by Analyze Engine | Adaptive Authentication process |
29100 | Hardstopped by Analyze Engine | Adaptive Authentication process |
29990 | Authentication failed | Authentication failure |
YubiKey Multi-Factor Authentication Method
ID No. | Message | Definition |
---|---|---|
24000 | Show registration method options | Page loads and shows the Multi-Factor Authentication radio buttons |
24010 | YubiKey Method Selected | User selects YubiKey |
24120 | One Time Password Success | OTP is successfully validated |
24220 | One Time Password Failed, attempts: 0 | User fails validation |
Pre-Authentication Page
ID No. | Message | Definition |
---|---|---|
31020 | Windows desktop SSO succeeds | For WindowsSSO.aspx, Windows desktop SSO |
31120 | Windows desktop SSO succeeds and redirect users to the destination site | For WindowsSSO2.aspx, Windows desktop SSO |
32010 | SiteMinder integration, redirect user to destination URL | For SiteMinder integration |
33020 | OATH Service user and otp authentication success | OATH service success response |
33030 | OATH Service OTP Failed | OATH service failure response |
33040 | OATH Service Username Failed | OATH service failure response |
Password Throttling Multi-Factor Authentication
ID No. | Message | Definition |
---|---|---|
33300 | User exceeded {MaxFailedAttempts} incorrect password attempts in a span of {Interval} minutes. The account will be inaccessible for a short time. | IdP has recorded more than the configured maximum number of unsuccessful password attempts within the configured throttling interval. While this condition exists, further password attempts will not be sent to LDAP, and the user will not be able to access this realm in IdP. This does not affect the user's other uses of their LDAP account, e.g. through an company internal email client. |
33310 | User exceeded {MaxFailedAttempts} incorrect password attempts; the account is being locked. | If the realm is configured with "PWThrottleHardLockout" as true, exceeding the permitted maximum incorrect password attempts will result in the user's LDAP account being locked. The user will no longer be able to access any system that relies on their LDAP account, and will need to contact an administrator in order to unlock the account. |
Adaptive Authentication with Office 365
ID No. | Message | Definition |
---|---|---|
40601 | Credential validation passed | The call to ValidateUser by user ID and password was successful. |
40601 | ClaimsIdentity set | At least one element exists in the ClaimsPrincipal's identities collection. The first one in the collection will be used. |
40602 | RequestBlockingEngine | The WS-Trust Request Blocking Engine has rejected the request. After this error is logged, the BeginIssue call fails with a 401 Unauthorized and a "FailedAuthentication" FaultCode. |
40603 | WS-Trust token validation failed | The call to ValidateUser by user ID and password failed. After this error is logged, the BeginIssue call fails with a 401 Unauthorized and a "FailedAuthentication" FaultCode. |
40604 | AnalyzeEngineBlocking | The (optional) call to validate the client IP using the Analyze Engine has failed. This means the IP did not pass the Analyze Engine deny list / allow list filter or was rejected by the IP Risk service. It also may occur if the Analyze Engine configuration is incompatible with WS-Trust. |
SQL Membership Provider / SQL Profile Provider
The following event messages are are supported in Identity Platform hotfix version 19.07.01-29 and 20.06-6.
New ID No. | Old ID No. | Message | Definition |
---|---|---|---|
SQL Membership Provider | |||
51411 | SqlMembershipProvider.GetUser: User Found, DataStoreResponseTime='{responseTime}' | Stored procedure successfully found a user. | |
51420 | SqlMembershipProvider.GetUserNameByEmail: User Found, DataStoreResponseTime='{responseTime}' | Stored procedure successfully found a user via the email field. | |
51431 | SqlMembershipProvider.ChangePassword success: {isValid}, DataStoreResponseTime='{responseTime}' | Changes the password for the given username and returns a status of true or false. (Validates the current password prior to validation.) | |
51442 | SqlMembershipProvider.UpdatePassword success: {retVal}, DataStoreResponseTime='{responseTime}' | Updates the password for the given username and returns a status of true or false without prior validation. | |
51450 | SqlMembershipProvider.EnableUser success: {result}, DataStoreResponseTime='{responseTime}' | Enables an end user account and returns a status of true or false. | |
51455 | SqlMembershipProvider.DisableUser success: {result}, DataStoreResponseTime='{responseTime}' | Disables an end user account and returns a status of true or false. | |
51460 | SqlMembershipProvider.CreateUser statusCode: {iStatus}, DataStoreResponseTime='{responseTime}' | Creates an end user account. | |
51470 | SqlMembershipProvider.UnlockUser result: {result}, DataStoreResponseTime='{responseTime}' | Unlocks an end user account and returns a status of true or false. | |
51475 | SqlMembershipProvider.LockUser result: {result}, DataStoreResponseTime='{responseTime}' | Locks an end user account and returns a status of true or false. | |
51480 | 51003 | SqlMembershipProvider.AddUserToGroup: for user: {userName}, Exception: {ex.Message} | Error occurred while adding the username to a group in the SQL database. |
51481 | SqlMembershipProvider.AddUserToGroup result: {retVal}, DataStoreResponseTime='{responseTime}' | Adds the username to a group in the SQL database and returns a value of true or false. | |
51421 | SqlMembershipProvider.GetPasswordWithFormat result: {result}, DataStoreResponseTime='{responseTime}' | Gets the password of the user for validation and returns a status of true if the password is not null, or false if the password is null. | |
SQL Profile Provider | |||
52410 | SqlProfileProvider.GetPropertyValuesBase: User Properties Found, DataStoreResponseTime='{responseTime}' | The profile was successfully found. | |
52412 | 52002 | SqlProfileProvider.GetPropertyValues: getting 'kba' for user: {userName}, Exception: {ex.Message} | Error occurred while parsing the KBA property. |
52413 | 52002 | SqlProfileProvider.GetPropertyValues: getting 'kba/kbq' for user: {userName}, Exception: {ex.Message} | Error occurred while parsing the KBQ property. |
52414 | 52001 | SqlProfileProvider.GetPropertyValues: for user: {userName}, Exception: {ex.Message} | Error occurred while parsing the property values. This error can occur for any property other than KBA and KBQ. |
52420 | SqlProfileProvider.SetPropertyValuesBase DeriveParameters, DataStoreResponseTime='{responseTime}' | Derives the parameters of the set profile stored procedure. | |
52423 | 52060 | Set property 'KBA/KBQ' value with encoding | Can occur in the audit log if using the Base 64 format. Mutually exclusive to the next two messages. |
52423 | 52060 | Set property 'KBQ' value with encryption | Can occur in the audit log if using the encryption format. Mutually exclusive to the previous and next messages. |
52423 | 52060 | Clear property 'KBQ' value with encryption | Can occur in the audit log if no value is being saved. Mutually exclusive to the previous two messages. |
52424 | 52060 | Set property 'KBA' value with encryption | Can occur in the audit log if using the encryption format. Mutually exclusive to the next message. |
52424 | 52060 | Clear property 'KBA' value with encryption | Can occur in the audit log if no value is being saved. Mutually exclusive to the previous message. |
52423 | 52004 | SqlProfileProvider.SetPropertyValues: setting 'kba/kbq' with kbversion '{_kbVersion}' for user: {userName}, Exception: {ex.Message} | Error occurred while setting KBA or KBQ. |
52425 | SqlProfileProvider.SetPropertyValuesBase: ExecuteNonQuery success: {rets > 0}, DataStoreResponseTime='{responseTime}' | Sets the changed property values and returns a value to validate if the values were set. | |
52423 | SqlProfileProvider.SetPropertyValues: for user: {userName}, Exception: {ex.Message} | Error occurred while setting property values for the specified username. | |
52405 | 52060 | SqlProfileProvider.SetPropertyValues: set '{svcKey}' to '{cmdParamKey}' | Occurs each time a user logs in and specifies the property value (e.g., email1, phone1, etc.) that will be set in the database. |
'{responseTime}' = the response time returned in milliseconds
User Membership / Profile Retrieval
ID No. | Message | Definition |
---|---|---|
51010 | Found the user with the name | Found the user in AD |
51020 | Cannot find the user with the name | Username not found in AD |
51080 | GetUser: return user membership data with the name: {userName} with the result code: {sResult} | User found |
51160 | Password cannot be validated | User password is incorrect |
51160 | Validation failed with name and password | User password is incorrect |
51170 | Password is validated | User password is correct |
52010 | Retrieved user profile data | Retrieved user profile from AD |
52060 | Set ‘[User profile attribute name]’ to ‘[AD attribute name]’ | Save data to AD with attribute name |
52070 | Updated user profile | Commit saving modified user profile data to AD |
Help Desk Email Provider
ID No. | Message | Definition |
---|---|---|
53000 | Before Sending OTP Email to Helpdesk | Trace |
53001 | Sending OTP with Helpdesk Exception | Error occured in the sending process |
53010 | After Sending OTP with Helpdesk | Trace after the email is sent successfully |
53020 | Response time of sending OTP with Helpdesk | Follows 53000 to track response time |
OTP HTML Email Provider
ID No. | Message | Definition |
---|---|---|
53100 | Before Sending OTP Html Email | Trace |
53101 | Sending OTP with Html Email Exception | Error occured in the sending process |
53110 | After Sending OTP with Html Email | Trace after the email is sent successfully |
53120 | Response time of sending OTP with Html Email | Follows 53100 to track response time |
OTP Text Email Provider
ID No. | Message | Definition |
---|---|---|
53200 | Before Sending OTP Text Email | Trace |
53201 | Sending OTP with Text Email Exception | Error occured in the sending process |
53210 | After Sending OTP with Text Email | Trace after the email is sent successfully |
53220 | Response time of sending OTP with Text Email | Follows 53200 to track response time |
OTP Responses
ID No. | Message | Definition |
---|---|---|
53020 | Response time of sending OTP: | Sent help desk OTP email |
53120 | Response time of sending OTP: | Sent HTML OTP email |
53220 | Response time of sending OTP: | Sent text OTP email |
53310 | Response time of sending OTP in domestic call/WSE: [response time in ms] | Sent domestic OTP SMS via WSE call |
53330 | Response time of sending OTP in international call/WSE with [Provider name]: [response time in ms] | Sent international OTP SMS via WSE call |
53350 | Response time of sending OTP in domestic call with [Provider name]: [response time in ms] | Sent domestic OTP SMS |
53370 | Response time of sending OTP in international call with [Provider name]: [response time in ms] | Sent international OTP SMS |
53430 | Response time of sending OTP in domestic call/WSE: | Sent domestic OTP phone call via WSE |
53450 | Response time of sending OTP in international call/WSE: | Sent international OTP phone call via WSE |
53470 | Response time of sending OTP in domestic call: | Sent domestic OTP phone call |
53490 | Response time of sending OTP in international call | Sent international OTP phone call |
Provider Events
Note
Duplicated event ID numbers for Number Profile and Push Notification (asterisked in the tables below) are being addressed for correction in a future software release.
ID No. | Message | Definition |
---|---|---|
53500 * | NumberProfileProvider.GetNumberProfileModel - Status '{Current Carrier Status}' Reason: '{reason}' | Trace made when the provider gets the number profile of the user's number |
53501 ** | NumberProfileProvider.GetNumberProfileModel - number profile is null | Either the provider's number profile is null, or the current carrier is null |
53502 | NumberProfileProvider.GetNumberProfileModel - not configured for blocking | The realm is not configured for phone profile blocking |
53510 *** | NumberProfileProvider.UpdateNumberProfile - Number: {user's number}, Ported Status: {user's PortedStatus} | Trace made in the provider when the number status is saved into the user's profile |
53520 | NumberProfileProvider.RemoveNumberProfile - Number: {old number} | Trace made in the provider when user chooses to remove a number from their profile |
Push Notification
ID No. | Message | Definition |
---|---|---|
53500 * | Before sending OTP in push notification w/ WSE | Trace made when the provider sends the OTP |
53501 ** | Sending OTP with {Push Provider}, Exception: {message} | Sending OTP with Push notification exception |
53510 *** | Response time of sending OTP in push notification w/ WSE | Follows 53500 to track Response Time |
53540 | Before sending push accept w/ WSE with: | Trace made when the provider sends the Push Accept Request |
53550 | Response time of sending push accept w/ WSE | Follows 53540 to track Response Time |
53510 *** | {Provider}.Send push accept response: {status}, {statusMessage}, {Response Time} | Logs the Users Response to Push Accept |
Certificate Request to SecureAuth CA Cloud (sent CSR and received response)
ID No. | Message | Definition |
---|---|---|
54010 | Received response, response time of CSR in WSE call | Received via WSE call |
54030 | Received response, response time of CSR: | Response time of CSR |
54050 | Received response, response time of CSR in KEYGEN/WSE call | For Keygen, received via WSE call |
54070 | Received response, response time of CSR in KEYGEN | For Keygen |
54110 | Received response, response time of CSR in SCEP call | For SCEP call |
Note
Event ID number 55101 (asterisked in the HTML Email and SMS tables below) is used for three types of events.
HTML Email
ID No. | Message | Definition |
---|---|---|
55100 | Before sending LTA with: {Name}, to {maskedEmail} | This trace message is logged before an attempt is made to send the login request. A successful call is followed by an “After sending...” (55120) tracking message and a “Response time...” (55110) log for performance monitoring. |
55101 * | {Provider}.Send, did not obtain a login RequestID from SA Cloud. | SecureAuth IdP made an unsuccessful attempt to obtain a SecureAuth Link-to-Accept link and associated RequestID from the SA Cloud service. The attempt failed because either the IdP was unable to obtain a Bearer token using the customer ID and certificate thumbprint, or (less likely) SA Cloud did not create and return the link as requested. |
55101 * | Sending LTA with {Provider}, Exception: {Message} | An exception occurred before attempting to send a SecureAuth Link-to-Accept message, either when contacting SA Cloud or when building the message. |
55102 | Sending LTA with {Provider}, Exception: {Message} | An exception occurred after building the SecureAuth Link-to-Accept message, during an attempt to send the message. |
SMS
ID No. | Message | Definition |
---|---|---|
55101 * | {Provider}.Send, did not obtain a login RequestID from SA Cloud. | SecureAuth IdP made an unsuccessful attempt to obtain a SecureAuth Link-to-Accept link and associated RequestID from the SA Cloud service. The attempt failed because either the IdP was unable to obtain a Bearer token using the customer ID and certificate thumbprint, or (less likely) SA Cloud did not create and return the link as requested. |
Text Email
ID No. | Message | Definition |
---|---|---|
55200 | Before sending LTA with: {Name}, to {maskedEmail} | This trace message is logged before an attempt is made to send the login request. A successful call is followed by an “After sending...” (55220) tracking message and a “Response time...” (55210) log for performance monitoring. |
55201 | Sending LTA with {Provider}, Exception: {Message} | An exception occurred after building the SecureAuth Link-to-Accept message, during an attempt to send the message. |
Request Manager
ID No. | Message | Definition |
---|---|---|
55302 | AcceptDenyRequestStatusManager.GetStatusByLinkRequestId: {Message} | An exception occurred while attempting to request the status of a pending SecureAuth Link-to-Accept link from SA Cloud. Note the RequestID for a link is different than the random characters ("nonce") in the link itself. |
55320 | AcceptDenyRequestStatusManager.GetStatusByLinkRequestId: {RequestID} returned {Status} | This status is logged when SA Cloud replied to a request for a link status. In normal operations, SA Cloud does not return when a link is pending; this log message appears when the user clicked on either the accept or deny link, or when the link has expired (~ 4 minutes, by default). |
API Layer
ID No. | Message | Definition |
---|---|---|
60000 | HMAC authentication validation failed log | Filter action |
60101 | User controller entry point log of request to retrieve Multi-Factor collection for user | Controller action |
60102 | User controller exit point log of response to retrieve Multi-Factor collection for user | Controller action |
60103 | User controller entry point log of request to retrieve profile for user | Controller action |
60104 | User controller exit point log of response to retrieve profile for user | Controller action |
60105 | User controller entry point log of request to update user profile | Controller action |
60106 | User controller exit point log of response to update user profile | Controller action |
60107 | User controller entry point log of request to associate a single user with a single group | Controller action |
60108 | User controller exit point log of response to associate a single user with a single group | Controller action |
60109 | User controller entry point log of request to associate multiple users with a single group | Controller action |
60110 | User controller exit point log of response to associate multiple users with a single group | Controller action |
60111 | User controller entry point log of request to associate multiple groups with a single user | Controller action |
60112 | User controller exit point log of response to associate multiple groups with a single user | Controller action |
60113 | User controller entry point log of request to create new user | Controller action |
60114 | User controller exit point log of response to create new user | Controller action |
60115 | User controller entry point log of request to reset password | Controller action |
60116 | User controller exit point log of response to reset password | Controller action |
60117 | User controller entry point log of request to change password | Controller action |
60118 | User controller exit point log of response to change password | Controller action |
60201 | Authentication controller entry point log of request to perform some type of authentication | Controller action |
60202 | Authentication controller exit point log of response of an invalid user ID | Controller action |
60203 | Authentication controller exit point log of response to perform some type of authentication | Controller action |
60204 | Authentication controller entry point log of request to get Push-to-Accept status | Controller action |
60206 | Authentication controller entry point log of request to create Access History record | Controller action |
60207 | Authentication controller exit point log of response of an invalid user ID | Controller action |
60208 | Authentication controller exit point log of response to create Access History record | Controller action |
60301 | IP evaluation controller entry point log of request to evaluate IP threat level | Controller action |
60302 | IP evaluation controller exit point log of response to evaluate IP threat level | Controller action |
60401 | Mobile DFP controller entry point log of request to validate mobile DFP | Controller action |
60402 | Mobile DFP controller exit point log of response to validate mobile DFP | Controller action |
60501 | Adaptive Auth controller entry point log of request to invoke analyze engine | Controller action |
60502 | Adaptive Auth controller exit point log of response of an invalid user ID | Controller action |
60503 | Adaptive Auth controller exit point log of response of analyze engine results | Controller action |
60601 | DFP controller entry point log of request to validate / score a device fingerprint | Controller action |
60602 | DFP controller exit point log of response of an invalid user ID | Controller action |
60603 | DFP controller exit point log of response to validate / score a device fingerprint | Controller action |
60604 | DFP controller entry point log of request to confirm a previously scored device fingerprint | Controller action |
60605 | DFP controller exit point log of response of an invalid user ID | Controller action |
60606 | DFP controller exit point log of response to confirm a previously scored device fingerprint | Controller action |
60701 | SecureAuth controller entry point of request to check Push-to-Accept status. USED INTERNALLY BY IdP | Controller action |
DFP Controller (API calls)
ID No. | Message | Definition |
---|---|---|
60601 | [DfpController].[PostValidateDfpAsync] DFP controller invoked with: '{dfpRequest}' | After a DFP request is made |
60602 | [DfpController].[PostValidateDfpAsync] Returning response with: '{badUserResponse}' | Validation after a bad user DFP response |
60603 | [DfpController].[PostValidateDfpAsync] Returning response with: '{dfpRequest}' | Validation after a DFP request is made |
60604 | [DfpController].[PostConfirmDfpAsync] DFP controller invoked with: '{dfpRequest}' | Confirmation after a DFP request is made |
60605 | [DfpController].[PostConfirmDfpAsync] Returning response with: '{badUserResponse}' | Confirmation after a bad user DFP response |
60606 | [DfpController].[PostConfirmDfpAsync] Returning response with: '{dfpRequest}' | Response after a DFP request is made |
60607 | [DfpController].[PostScoreDfpAsync] DFP controller invoked with: '{dfpRequest}' | After scoring a DFP request |
60608 | [DfpController].[PostScoreDfpAsync] Returning response with: '{badUserResponse}' | Score after a bad user DFP response |
60609 | [DfpController].[PostScoreDfpAsync] Returning response with: '{dfpRequest}' | Score after a DFP request is made |
60610 | [DfpController].[PostSaveDfpAsync] DFP controller invoked with: '{dfpRequest}' | After a DFP request is saved |
60611 | [DfpController].[PostSaveDfpAsync] Returning response with: '{badUserResponse}' | Response after saving a bad user DFP response |
60612 | [DfpController].[PostSaveDfpAsync] Returning response with: '{dfpRequest}' | Response after a DFP request is saved |
System
ID No. | Message | Definition |
---|---|---|
90000 | Application - Start | Web page starts |
90010 | Session - Start | New session starts |
90020 | Application - Begin request | Appears for each web request |
90030 | Application - End request | Appears for each web request |
90040 | (value in milliseconds for response time of each web page request) | Response time when user browses a web page |
90050 | Session - End | Session ends |
90060 | Application - End | Web page ends |