Self-Service Metrics

REV 1.0

Table of Contents 

Overview

Downloading Metrics

Import Metrics to Google Sheets

Import Metrics to Microsoft Excel

Appendix A - Metrics Service, Types, and Sub-Types

Appendix B - Metrics Data Elements

Overview

Each Cirrus Identity Service generates logs of transactions. These logs are processed into a standard set of metrics by Cirrus Identity infrastructure on a continuous basis. The base subscription of any Cirrus Identity Service allows for self-service access to download up to 5 weeks (35 calendar days) of metrics using the Cirrus Identity Console.

While there is some variation in the amount of time it takes for processing of logs, the processing for metrics will generally be completed and available for download within 10 minutes of the event occurring on any given Cirrus Identity Service.

Downloading Metrics

Metrics can be downloaded by any Cirrus Console Organization Administrator. To access, first go to the “My Orgs” menu and select the appropriate organization.

Cirrus Console

Select the “Metrics” page from the menu on the left. Before downloading, the administrator needs to provide:

  1. The “Report Time Range” – this can be relative from the current date and time with a default of 1 hour. By selecting “Custom”, an absolute range can be selected. Times are in UTC and the maximum available history for download is 35 days from the current date.

  2. The “Service” – this is the specific Cirrus Identity Service module to report on. Metrics are currently available for:

    1. Cirrus Proxy (proxy)

    2. Cirrus Bridge (bridge)

    3. Cirrus Gateway (gateway)

    4. Cirrus OrgBrandedID (idp)

  3. The “Metric Type” and “Metric Subtype” – this is the specific event to report on. Most services will minimally have a “request” and a “success” event. See Appendix A for a listing of the current combinations of Service, Metric Type, and Metric Subtype available for download.

  4. There is an option to include field headers in the download.

Manage Metrics

Once set, the administrator should press “Submit” and should receive feedback that the request was successfully submitted. 

Manage Metrics

The request will then show in the report requests listing at the bottom of the page.

Report requests

Once the download is generated, the administrator will receive an email sent to the mailbox address associated with the account they logged into the Cirrus Console with. The message will include a link to download the report. The link is only valid for 24 hours. Once the link expires, the administrator must run the report again.

Emailed metric report

Clicking on the link or pasting into a web browser will download the report. Reports are currently formatted as comma separated value (CSV) files. 

Download metric report

The files are traditional CSV formatted text files, and can be imported into any number of applications for further analysis or reporting. 

CSV text file

This guide will next show how to take a sample file of Cirrus Proxy events from the Athena Institute, and generate basic service metrics using both Google Sheets and Microsoft Excel.

Import Metrics to Google Sheets

To import metrics into Google Sheets, start with a new spreadsheet. Select “Import File” and upload the CSV that you downloaded from the Cirrus Console.

Import Metrics to Google Sheets

You can accept the defaults for importing the file.

Accept default settings

After import, you should see the data with a first row of column headers. See Appendix B for descriptions of the columns.

Data

After importing, it would be good to name the sheet if you haven’t already done so.

Name the sheet

One of the main ways to look at metrics is by using a pivot table (see https://support.google.com/docs/answer/1272900 for more information). To add a pivot table to the current sheet, go to the “Insert” menu and select “Pivot table”.

Pivot table

For starters, you can just accept the defaults provided by Google Sheets.

Create pivot table

Google Sheets will then present a dialog on the right to define the pivot table. For starters:

  1. To summarize by service providers, select the “saml_sp” field for the rows
  2. To summarize by the individual Cirrus Proxy logical instances, select the “tenant” field for the columns
  3. To count the number of authentications, select the “user” field for the values and select “COUNTA” for the summation

When done, you should see something like the following: 

Sample proxy metrics

This reports that of the 21 transactions, 18 went to the Athena Canvas instance (entityId == http://cirrusidentity.instructure.com/saml2), 1 went to the demo SP of the Linking Proxy, and 2 went to the demo SP of the MFA Proxy.

Import Metrics to Microsoft Excel

To import metrics into Microsoft Excel, start Excel and open the downloaded from the Cirrus Console – you will likely have to change the file type filter to “Text Files”.

Text Files

Once opened, you should see something like the following:

Microsoft Excel example

If you haven’t already, now would be a good time to save the file in Excel’s native format.

Save excel

The default import of Excel does not handle the formatting of the timestamp correctly. To correct, select the first column, from the “Home” ribbon, adjust the format and select “More Number Formats…”. 

More number formats

Change the format to “Date” and “Type:” of date and 24 hour time as shown:

Date and time

You should now see timestamps with both dates and times.

Timestamps date and time

One of the main ways to look at metrics is by using a pivot table (see https://support.microsoft.com/en-us/office/create-a-pivottable-to-analyze-worksheet-data-a9a84538-bfe9-40a9-a8e9-f99134456576 for more information). To add a pivot table to the current sheet, select all the data for the current sheet. 

Pivot table

Go to the “Insert” menu and select “Pivot Table” from the ribbon.

Insert pivot table

For starters, you can just accept the defaults provided by Excel.

Accept default settings

Excel will then present a dialog on the right to define the pivot table. For starters:

  1. To summarize by service providers, select the “saml_sp” field for the rows
  2. To summarize by the individual Cirrus Proxy logical instances, select the “tenant” field for the columns
  3. To count the number of authentications, select the “user” field for the values and select “COUNTA” for the summation

When done, you should see something like the following: 

Example

Depending on how the data was selected, you may see rows and columns with “(blank)” labels. It is Excel default behavior to include those cells if selected. To not report them, click on the field name in the upper part of the pivot dialog, and de-select “(blank)”. You will want to do this for both the “tenant” field and the “saml_sp” field.

De-select blank

The report should now look like the following:

Example

This reports that of the 21 transactions, 18 went to the Athena Canvas instance (entityId == http://cirrusidentity.instructure.com/saml2), 1 went to the demo SP of the Linking Proxy, and 2 went to the demo SP of the MFA Proxy.

Appendix A - Metrics Service, Types, and Sub-Types

The following table is a current inventory of the metrics that are available for download. 

service

metricType

metricSubtype

Description

bridge

authentication

request

SAML authentication requests made through the Cirrus Bridge

bridge

authentication

success

Successful SAML authentications made through the Cirrus Bridge

bridge

cas

request

CAS authentication requests made through the Cirrus Bridge

bridge

cas

login

Successful CAS authentications made through the Cirrus Bridge using the ‘login’ method

bridge

cas

validate

Successful CAS ticket validations made through the Cirrus Bridge using the ‘validate’ method

bridge

cas

serviceValidate

Successful CAS ticket validations made through the Cirrus Bridge using the ‘serviceValidate’ method

bridge

cas

samlValidate

Successful CAS ticket validations made through the Cirrus Bridge using the ‘samlValidate’ method

gateway

authentication

request

SAML authentication requests made through the Cirrus Gateway

gateway

authentication

success

Successful SAML authentications made through the Cirrus Gateway

idp

authentication

request

SAML authentication requests made through the Cirrus OrgBrandedID

idp

authentication

success

Successful SAML authentications made through the Cirrus OrgBrandedID

proxy

authentication

request

SAML authentication requests made through the Cirrus Proxy

proxy

authentication

success

Successful SAML authentications made through the Cirrus Proxy

proxy

cas

request

CAS authentication requests made through the Cirrus Bridge

proxy

cas

login

Successful CAS authentications made through the Cirrus Bridge using the ‘login’ method

proxy

cas

validate

Successful CAS  ticket validations made through the Cirrus Bridge using the ‘validate’ method

proxy

cas

serviceValidate

Successful CAS  ticket validations made through the Cirrus Bridge using the ‘serviceValidate’ method

proxy

cas

samlValidate

Successful CAS  ticket validations made through the Cirrus Bridge using the ‘samlValidate’ method

Appendix B - Metrics Data Elements

The following is a dictionary of the current attributes available in the download. Not all combinations of service, metric type, and metric subtype will report all data elements.

Data Element

Description

timestamp

The date and time of the event in UTC. 

tenant

The logical instance of the service - for example if there is a production and a UAT proxy, there will be two different tenants.

orgdomain

The organization’s domain as configured in Cirrus Identity.

orgurl

The organization’s orgURL as configured in Cirrus Identity – this will usually match what is registered with InCommon for InCommon members.

orgid

Future attribute.

service

The Cirrus Service being reported on - See Appendix A.

clientip

The IP address of the browser agent accessing the service.

correlationid

An internal identifier generated by the Cirrus Identity logging infrastructure used to correlate transitions across services.

metrictype

The Cirrus Metric Type being reported on - See Appendix A.

metricsubtype

The Cirrus Metric Subtype being reported on - See Appendix A.

spentityid

The entityId of the service provider making the request - used by some services, blank for others.

cas_service

The service URL when using the CAS protocol - blank when the protocol is SAML.

cas_idp_hostname

The fully qualified domain name of the CAS identity provider when using the CAS protocol - blank when the protocol is SAML.

cas_client_ip

The IP address of the browser agent accessing the service using CAS.

user

A calculated value from a cascade of evaluating the ePPN and mail attributes - if there is neither value, the IP address is used. Used for counting traffic.

cas_ticketprefix

The prefix of the CAS protocol ticket.

cas_isproxied

Indicator if the CAS transaction was proxied.

saml_idp

The entityId of the SAML identity provider fulfilling the request (used by some services, blank for others).

saml_sp

The entityId of the SAML service provider making the request (used by some services, blank for others).

saml_idpchain0

For transactions traversing a Proxy or Bridge, the last IdP to make the SAML assertion.

saml_idpchain1

For transactions traversing a Proxy or Bridge, the upstream IdP to make the SAML assertion.

saml_spchain0

For transactions traversing a Proxy or Bridge, the last SP to request the SAML assertion.

saml_spchain1

For transactions traversing a Proxy or Bridge, the downstream SP that requested the SAML assertion.

eppn

The eduPersonPrincipalName attribute associated with the assertion. If blank, was not part of the assertion.

mail

The mail attribute associated with the assertion. If blank, was not part of the assertion.

uid

The uid attribute associated with the assertion. If blank, was not part of the assertion.

© Copyright Cirrus Identity, Inc.

Blog comments