One-Time Code MFA Data Elements
The following is a dictionary of data available through the Data Export of Logs and the LogAPI. Not all combinations of service, type, and subtype will report all of these data elements. Please submit a support ticket if you have any questions on these data elements.
Using the Data Export feature, when the report format is “parsed”, these elements appear as individual fields with corresponding headers in the csv file. When the report format is “raw”, these elements appear in JSON format within the logData field.
Each downloaded log file will include the following data elements.
|
Data Element |
Description |
|
timestamp |
The date and time of the event in UTC. |
|
tenant |
The logical instance of the service - for example if there is a production and a UAT proxy, there will be two different tenants. |
|
orgdomain |
The organization’s domain as configured in Cirrus Identity. |
|
orgurl |
The organization’s orgURL as configured in Cirrus Identity – this will usually match what is registered with InCommon for InCommon members. |
|
orgid |
Future attribute. |
|
service |
The Cirrus Service being reported on - Event Types section. |
|
clientip |
The IP address of the browser agent accessing the service. |
|
correlationid |
An internal identifier generated by the Cirrus Identity logging infrastructure used to correlate transitions across services. |
|
logtype |
The Cirrus Type being reported on - See Event Types section |
|
logsubtype |
The Cirrus Subtype being reported on - See Event Types section |
|
logdata |
Appears when the report format is “raw”. Contains additional data elements specific to each event - see Log Data Elements section |
The following table is a current inventory of the logtype and logsubtype values you will find for the Cirrus Bridge.
|
service |
logtype |
logsubtype |
description |
|
bridge |
authentication |
request |
SAML authentication requests made through the Cirrus Bridge |
|
bridge |
authentication |
success |
Successful SAML authentications made through the Cirrus Bridge |
|
bridge |
cas |
request |
CAS authentication requests made through the Cirrus Bridge |
|
bridge |
cas |
login |
Successful CAS authentications made through the Cirrus Bridge using the ‘login’ method |
|
bridge |
cas |
validate |
Successful CAS ticket validations made through the Cirrus Bridge using the ‘validate’ method |
|
bridge |
cas |
serviceValidate |
Successful CAS ticket validations made through the Cirrus Bridge using the ‘serviceValidate’ method |
|
bridge |
cas |
samlValidate |
Successful CAS ticket validations made through the Cirrus Bridge using the ‘samlValidate’ method |
The following table is a current inventory of the logtype and logsubtype values you may find for the Cirrus Proxy.
|
service |
logtype |
logsubtype |
description |
|
gateway |
authentication |
request |
SAML authentication requests made through the Cirrus Gateway |
|
gateway |
authentication |
success |
Successful SAML authentications made through the Cirrus Gateway |
|
idp |
authentication |
request |
SAML authentication requests made through the Cirrus OrgBrandedID |
|
idp |
authentication |
success |
Successful SAML authentications made through the Cirrus OrgBrandedID |
|
proxy |
authentication |
request |
SAML authentication requests made through the Cirrus Proxy |
|
proxy |
authentication |
success |
Successful SAML authentications made through the Cirrus Proxy |
|
proxy |
cas |
request |
CAS authentication requests made through the Cirrus Bridge |
|
proxy |
cas |
login |
Successful CAS authentications made through the Cirrus Bridge using the ‘login’ method |
|
proxy |
cas |
validate |
Successful CAS ticket validations made through the Cirrus Bridge using the ‘validate’ method |
|
proxy |
cas |
serviceValidate |
Successful CAS ticket validations made through the Cirrus Bridge using the ‘serviceValidate’ method |
|
proxy |
cas |
samlValidate |
Successful CAS ticket validations made through the Cirrus Bridge using the ‘samlValidate’ method |
The following is a dictionary of data available for One-Time Code MFA log events. At this time, these events are only available through the LogAPI.
|
logtype |
logsubtype |
description |
notes |
|
emailMFA |
send |
A code has been sent |
In logData, count: how many times has code been sent email: the user’s email address idpEntityId: authentication provider |
|
emailMFA |
authenticationSuccess |
User entered a valid code |
In logData, count: how many attempts it took email: the user’s email address idpEntityId: authentication provider |
|
emailMFA |
invalidCode |
Invalid code entered |
In logData, count: how many attempts have been made email: the user’s email address idpEntityId: authentication provider |
|
emailMFA |
excessiveFailures |
Too many incorrect attempts |
In logData, count: how many attempts have been made email: the user’s email address idpEntityId: authentication provider |
|
emailMFA |
noEmail |
The authentication provider did not send us an email. |
In logData, idpEntityId: indicates the authentication provider |
|
emailMFA |
expiredState |
The user’s session has expired |
|