How To: Search The Identity Hub logs
The Identity Hub keeps extensive logs on all requests. These can be searched in case of problems reported by users.
Note
For an On-Premises installation it might be that purging options are enabled.
Searching the logs
When searching the logs the first 20 entries (per log type) are returned. When scrolling through the list, more entries are loaded on demand.
- Navigate to the Tenant Admin Page (https://www.theidentityhub.com/{tenant}/Admin) and click on Logs in the left navigation.
- Enter, check and select the desired filter parameters.
- Click Search.
Type of logs
| Type | Description |
|---|---|
| Account Provider | Provides information on the authentication flow performed by users trying to authenticate using the Account Provider. |
| Logon Sessions | Provides information on the logon sessions of users that authenticated or tried to authenticate. |
| Apps | Provides information on the operations performed by Apps authenticating users. |
| Hub Audit | General auditing of operations and requests. (Includes audited actions in the Admin area of The Identity Hub.) |
Verbose
If checked the informational messages will be included, otherwise only warning and error log entries will be shown.
Note
For an On-Premises installation it might be that purging options are enabled. In that case the verbose information is only available for a limited period.
Account Provider
Currently the following logs can be filtered on Account Provider:
- Account Provider
- Logon Sessions
All Account Providers that are available for the Tenant are listed in the drop-down. By selecting one of the Account Providers the logs will be filtered to only return entries applying to the selected Account Provider.
Date Range
By providing a From and Till Date logs can be filtered by date range. The From Date is the date of the oldest log entry to return. The Till Date is the date for the newest log entry to return.
Search Text
The results can be filtered by providing a search text. Currently the search text is matched against the following log entry properties
| Log Type | Property | Description |
|---|---|---|
| Account Providers | MessageId | The unique id of the logged Account Provider operation. When there is a problem authenticating this id will be displayed to the user |
| Account Providers | Message | The message describing the logged Account Provider operation. |
| Logon Sessions | Failure Code | Currently the only value is "Master Account Provider Cancelled" (1) |
| Logon Sessions | Given Name | The given name of the user that (tries to) authenticates |
| Logon Sessions | Surname | The surname of the user that (tries to) authenticates |
| Logon Sessions | Email address | The email address of the user that (tries to) authenticates |
| Apps | Description | The description of the operation |
| Apps | Request URI | The request URI resulting in the operation |
| Apps | Client Display Name | The display name of an App as found on the details page of the App |
| Apps | Client Id | The unique id of an App as found on the details page of the App |
| Apps | Identity Display Name | The display name of the user |
| Apps | Identity Id | The unique id of a user as found on the details page of the User |
| Hub Audit | Message | The message that was audited |
| Hub Audit | Client IP Address | The IP address of the client making the request |
| Hub Audit | Identity Display Name | The display name of the user |
| Hub Audit | Identity Id | The unique id of a user as found on the details page of the User |
Use cases
Below some of the uses cases for the logs are explained based on the context and the required filter settings to retrieve the related log messages.
Account Providers
Error messages returned by account providers are logged in the Account Providers log as error.
Message search words: {the id used in the error message}
Verbose: no (Logged as Error)
Log: Account Provider
SAML-P account provider
The user states to have a role in the IDP, but this role is not passed to the application by The Identity Hub
When The Identity Hub receives a SAML-P response, or other information from the IDP, this is logged in the Account Provider Trace Logs as information.
If a user claims to be part of a certain (security) group, while the role does not get assigned by The Identity Hub, verify if the role claim is passed correctly to The Identity Hub.
Message search words: {the emailaddress of the user or the UPN of the user}
Verbose: yes (Logged as information)
Log: Account Provider
AccountProvider: pick the applicable account provider for the user
Make sure the searched time range includes the time the user signed in.
Once the results are shown, use CTRL+F in your browser and search for the Role name in the account provider response.
If the role is passed in the response, verify the claim mappings on the account provider.
If not, the administrator of the users IDP should verify if the user is member of the (security) group.
It is also possible to check the Hub Audit log to know the roles passed to an app.
For a new SAML-P accountprovider users are not auto-provisioned
When The Identity Hub receives a SAML-P response this is logged in the Account Provider Trace Logs as information.
To identify a user the Subject node in the SAMLP response is used. Either the nameID node is specified in the Subject or the name claim http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name should be part of the assertions.
If not, the user receives an error the authentication has failed.
Message search words: {the emailaddress of the user or the UPN of the user}
Verbose: yes (Logged as information)
Log: Account Provider
AccountProvider: pick the applicable account provider for the user
Make sure the searched time range includes the time the user signed in.
Once the results are shown, use CTRL+F in your browser and search for the UPN value in the account provider response.
If the UPN information is not present in the SAMLP response (either in the nameID node of the Subject, or as name claim in the assertions), in case of ADFS, verify if the "The Identity Hub UPN" rules are set up correctly.
See the ADFS required settings related to The Identity Hub UPN claim rules
O365 account provider
The O365 account provider uses the Microsoft Graph API to retrieve user information and roles. This is done in subsequent calls. To find the logging related to a specific login use the correct timeframe and the private personal identifier of the user.
Message search words: {the Private Personal Identifier of the user}
Verbose: yes (Logged as information)
Log: Account Provider
AccountProvider: pick the applicable O365 account provider for the user
Apps
Issues due to wrong parameters passed by an OAuth / OpenId Connect or SAML-P app are found in this log.
To find messages related to a specific app use the unique client id for an app as listed on the apps overview as search parameter.
See below for specific cases.
Incorrect redirect parameter (OAuth / OpenID Connect)
Message search words: redirect uri
Verbose : no (Logged as Warning)
Log : Apps
=> the redirect uri should match (exactly) with one of the set urls defined in the app
Missing signature on the request (SAML-P)
Message search words: The signature of the authentication request
Verbose : no (Logged as Error)
Log : Apps
=> ask the techinical contact of the app to sign the authentication request.
Incorrect or blocked issuer (SAML-P)
Message search words: No service provider
Verbose : no (Logged as Warning)
Log : Apps
=> a request was received for a blocked or non-existing app. If the request is valid update the related app.
Incorrect client secret
Message search words : client secret
Verbose : no (Logged as Warning)
Log : Apps
=> check with the technical contact of the app that they are using the correct client secret.
Duplicate attempts to exchange an authorization code
Message search words : authorization code
Verbose : no (Logged as Warning)
Log : Apps
=> if the app works as expected a user has probably reloaded a request, no action needed.
Incorrect PKCE code verifier
Message search words : code_verifier
Verbose : no (Logged as Warning)
Log : Apps
=> ask the technical contact of the app to verify their flow and if they use PKCE.
Missing signing certificate
Message search words : has no signing certificate set
Verbose : no (Logged as Warning)
Log : Apps
=> the app requires a certificate to sign, go to the app and either use the Tenant Token Signing certificate or add one specific to the app.
Hub Audit
Clients not using TLS 1.2
By default The Identity Hub uses TLS 1.2. However some clients might not support this yet.
To be able to determine which clients still need to upgrade apply the following filter:
Message search words: using protocol
Verbose: no (Logged as Warning)
Log: Hub Audit
Blocked Redirects
The list of white-listed urls can be seen in the admin module in the White Listed Urls overview
When requested redirect parameters do not comply, these blocked redirects are logged.
Message search words: Blocked redirect
Verbose: no (Logged as Warning)
Log: Hub Audit
User actions
Actions by users are audited in the Hub Audit log as verbose information.
To find actions by a particular user, find the unique TIH Identifier of the user and use it as search word.
Verbose: yes
Log: Hub Audit
Make sure the searched time range includes the time the user signed in.
| Action | Message search words | User Specific search words |
|---|---|---|
| 2FA verification | Second factor verification succeeded | Second factor verification succeeded for identity with id {{unique TIH Identifier}} |
| incorrect 2FA verification | Second factor verification failed | Second factor verification failed for identity with id {{unique TIH Identifier}} |
| User logs in for an app (see note) | User signed in | {{unique TIH Identifier}} |
| Delete profile | deleted his/her profile | Identity with id {{unique TIH Identifier}} deleted his/her profile |
| Start Password recovery | Password recovery flow for Identity | Password recovery flow for Identity with id {{unique TIH Identifier}} |
| Remove 2FA app | has removed Verificator App | Identity with id {{unique TIH Identifier}} has removed Verificator App |
Note
if a user has a role, but this role is not linked to the app then the role will not be passed to the app in a claim
Identity (Admin) actions
Actions by admins on user records are audited in the Hub Audit log.
Actions done by identities on their own profile are also audited in the Hub Audit log.
| Action | Message search words | User Specific search words | Verbose |
|---|---|---|---|
| Searching Identity Details | Identities searched for filter | No | |
| Viewing Identity Details / Roles / Apps | are viewed by | Identity Details for Identity with id {{unique TIH Identifier}} are viewed | No |
| Block an Identity | is disabled by | Identity with id {{unique TIH Identifier}} is disabled | No |
| Unblock an Identity | is enabled by | Identity with id {{unique TIH Identifier}} is enabled | No |
| Delete an Identity (by user) | deleted his/her profile | Identity with id {{unique TIH Identifier}} deleted his/her profile | No |
| Delete an Identity (by admin) | is deleted by | Identity with id {{unique TIH Identifier}} is deleted | No |
| Manual update roles for an Identity | Roles updated for Identity | Roles updated for Identity with id {{unique TIH Identifier}} | No |
| Start Password recovery | Password recovery flow for Identity | Password recovery flow for Identity with id {{unique TIH Identifier}} | No |
| Reset 2FA (by admin) | Verificator App settings are reset | Verificator App settings are reset for Identity with id {{unique TIH Identifier}}) | No |
| Remove 2FA app (by user) | has removed Verificator App | Identity with id {{unique TIH Identifier}} has removed Verificator App | No |
To get an overview of actions done on the profile of a specific user within a given period (keep the searched period as narrow as possible!):
- Find the unique TIH Identifier of the user (displayed in the Users overview)
- Use the unique identifier as search value to search in the Hub Audit Log.
Tenant Admin actions
| Action | Message search words for log | Verbose |
|---|---|---|
| Send Tenant Admin Invitation | Administrator invitation for tenant | No |
| Download Report | downloaded by | No |