REV 1.3
Self-Service Metrics
REV 1.0
Table of Contents
Import Metrics to Google Sheets
Import Metrics to Microsoft Excel
Appendix A - Metrics Service, Types, and Sub-Types
Appendix B - Metrics Data Elements
Overview
Each Cirrus Identity Service generates logs of transactions. These logs are processed into a standard set of metrics by Cirrus Identity infrastructure on a continuous basis. The base subscription of any Cirrus Identity Service allows for self-service access to download up to 5 weeks (35 calendar days) of metrics using the Cirrus Identity Console.
While there is some variation in the amount of time it takes for processing of logs, the processing for metrics will generally be completed and available for download within 10 minutes of the event occurring on any given Cirrus Identity Service.
Downloading Metrics
Metrics can be downloaded by any Cirrus Console Organization Administrator. To access, first go to the “My Orgs” menu and select the appropriate organization.
Select the “Metrics” page from the menu on the left. Before downloading, the administrator needs to provide:
-
The “Report Time Range” – this can be relative from the current date and time with a default of 1 hour. By selecting “Custom”, an absolute range can be selected. Times are in UTC and the maximum available history for download is 35 days from the current date.
-
The “Service” – this is the specific Cirrus Identity Service module to report on. Metrics are currently available for:
-
Cirrus Proxy (proxy)
-
Cirrus Bridge (bridge)
-
Cirrus Gateway (gateway)
-
Cirrus OrgBrandedID (idp)
-
The “Metric Type” and “Metric Subtype” – this is the specific event to report on. Most services will minimally have a “request” and a “success” event. See Appendix A for a listing of the current combinations of Service, Metric Type, and Metric Subtype available for download.
-
There is an option to include field headers in the download.
Once set, the administrator should press “Submit” and should receive feedback that the request was successfully submitted.
The request will then show in the report requests listing at the bottom of the page.
Once the download is generated, the administrator will receive an email sent to the mailbox address associated with the account they logged into the Cirrus Console with. The message will include a link to download the report. The link is only valid for 24 hours. Once the link expires, the administrator must run the report again.
Clicking on the link or pasting into a web browser will download the report. Reports are currently formatted as comma separated value (CSV) files.
The files are traditional CSV formatted text files, and can be imported into any number of applications for further analysis or reporting.
This guide will next show how to take a sample file of Cirrus Proxy events from the Athena Institute, and generate basic service metrics using both Google Sheets and Microsoft Excel.
Import Metrics to Google Sheets
To import metrics into Google Sheets, start with a new spreadsheet. Select “Import File” and upload the CSV that you downloaded from the Cirrus Console.
You can accept the defaults for importing the file.
After import, you should see the data with a first row of column headers. See Appendix B for descriptions of the columns.
After importing, it would be good to name the sheet if you haven’t already done so.
One of the main ways to look at metrics is by using a pivot table (see https://support.google.com/docs/answer/1272900 for more information). To add a pivot table to the current sheet, go to the “Insert” menu and select “Pivot table”.
For starters, you can just accept the defaults provided by Google Sheets.
Google Sheets will then present a dialog on the right to define the pivot table. For starters:
- To summarize by service providers, select the “saml_sp” field for the rows
- To summarize by the individual Cirrus Proxy logical instances, select the “tenant” field for the columns
- To count the number of authentications, select the “user” field for the values and select “COUNTA” for the summation
When done, you should see something like the following:
This reports that of the 21 transactions, 18 went to the Athena Canvas instance (entityId == http://cirrusidentity.instructure.com/saml2), 1 went to the demo SP of the Linking Proxy, and 2 went to the demo SP of the MFA Proxy.
Import Metrics to Microsoft Excel
To import metrics into Microsoft Excel, start Excel and open the downloaded from the Cirrus Console – you will likely have to change the file type filter to “Text Files”.
Once opened, you should see something like the following:
If you haven’t already, now would be a good time to save the file in Excel’s native format.
The default import of Excel does not handle the formatting of the timestamp correctly. To correct, select the first column, from the “Home” ribbon, adjust the format and select “More Number Formats…”.
Change the format to “Date” and “Type:” of date and 24 hour time as shown:
You should now see timestamps with both dates and times.
One of the main ways to look at metrics is by using a pivot table (see https://support.microsoft.com/en-us/office/create-a-pivottable-to-analyze-worksheet-data-a9a84538-bfe9-40a9-a8e9-f99134456576 for more information). To add a pivot table to the current sheet, select all the data for the current sheet.
Go to the “Insert” menu and select “Pivot Table” from the ribbon.
For starters, you can just accept the defaults provided by Excel.
Excel will then present a dialog on the right to define the pivot table. For starters:
- To summarize by service providers, select the “saml_sp” field for the rows
- To summarize by the individual Cirrus Proxy logical instances, select the “tenant” field for the columns
- To count the number of authentications, select the “user” field for the values and select “COUNTA” for the summation
When done, you should see something like the following:
Depending on how the data was selected, you may see rows and columns with “(blank)” labels. It is Excel default behavior to include those cells if selected. To not report them, click on the field name in the upper part of the pivot dialog, and de-select “(blank)”. You will want to do this for both the “tenant” field and the “saml_sp” field.
The report should now look like the following:
This reports that of the 21 transactions, 18 went to the Athena Canvas instance (entityId == http://cirrusidentity.instructure.com/saml2), 1 went to the demo SP of the Linking Proxy, and 2 went to the demo SP of the MFA Proxy.
Appendix A - Metrics Service, Types, and Sub-Types
The following table is a current inventory of the metrics that are available for download.
service |
metricType |
metricSubtype |
Description |
bridge |
authentication |
request |
SAML authentication requests made through the Cirrus Bridge |
bridge |
authentication |
success |
Successful SAML authentications made through the Cirrus Bridge |
bridge |
cas |
request |
CAS authentication requests made through the Cirrus Bridge |
bridge |
cas |
login |
Successful CAS authentications made through the Cirrus Bridge using the ‘login’ method |
bridge |
cas |
validate |
Successful CAS ticket validations made through the Cirrus Bridge using the ‘validate’ method |
bridge |
cas |
serviceValidate |
Successful CAS ticket validations made through the Cirrus Bridge using the ‘serviceValidate’ method |
bridge |
cas |
samlValidate |
Successful CAS ticket validations made through the Cirrus Bridge using the ‘samlValidate’ method |
gateway |
authentication |
request |
SAML authentication requests made through the Cirrus Gateway |
gateway |
authentication |
success |
Successful SAML authentications made through the Cirrus Gateway |
idp |
authentication |
request |
SAML authentication requests made through the Cirrus OrgBrandedID |
idp |
authentication |
success |
Successful SAML authentications made through the Cirrus OrgBrandedID |
proxy |
authentication |
request |
SAML authentication requests made through the Cirrus Proxy |
proxy |
authentication |
success |
Successful SAML authentications made through the Cirrus Proxy |
proxy |
cas |
request |
CAS authentication requests made through the Cirrus Bridge |
proxy |
cas |
login |
Successful CAS authentications made through the Cirrus Bridge using the ‘login’ method |
proxy |
cas |
validate |
Successful CAS ticket validations made through the Cirrus Bridge using the ‘validate’ method |
proxy |
cas |
serviceValidate |
Successful CAS ticket validations made through the Cirrus Bridge using the ‘serviceValidate’ method |
proxy |
cas |
samlValidate |
Successful CAS ticket validations made through the Cirrus Bridge using the ‘samlValidate’ method |
Appendix B - Metrics Data Elements
The following is a dictionary of the current attributes available in the download. Not all combinations of service, metric type, and metric subtype will report all data elements.
Data Element |
Description |
timestamp |
The date and time of the event in UTC. |
tenant |
The logical instance of the service - for example if there is a production and a UAT proxy, there will be two different tenants. |
orgdomain |
The organization’s domain as configured in Cirrus Identity. |
orgurl |
The organization’s orgURL as configured in Cirrus Identity – this will usually match what is registered with InCommon for InCommon members. |
orgid |
Future attribute. |
service |
The Cirrus Service being reported on - See Appendix A. |
clientip |
The IP address of the browser agent accessing the service. |
correlationid |
An internal identifier generated by the Cirrus Identity logging infrastructure used to correlate transitions across services. |
metrictype |
The Cirrus Metric Type being reported on - See Appendix A. |
metricsubtype |
The Cirrus Metric Subtype being reported on - See Appendix A. |
spentityid |
The entityId of the service provider making the request - used by some services, blank for others. |
cas_service |
The service URL when using the CAS protocol - blank when the protocol is SAML. |
cas_idp_hostname |
The fully qualified domain name of the CAS identity provider when using the CAS protocol - blank when the protocol is SAML. |
cas_client_ip |
The IP address of the browser agent accessing the service using CAS. |
user |
A calculated value from a cascade of evaluating the ePPN and mail attributes - if there is neither value, the IP address is used. Used for counting traffic. |
cas_ticketprefix |
The prefix of the CAS protocol ticket. |
cas_isproxied |
Indicator if the CAS transaction was proxied. |
saml_idp |
The entityId of the SAML identity provider fulfilling the request (used by some services, blank for others). |
saml_sp |
The entityId of the SAML service provider making the request (used by some services, blank for others). |
saml_idpchain0 |
For transactions traversing a Proxy or Bridge, the last IdP to make the SAML assertion. |
saml_idpchain1 |
For transactions traversing a Proxy or Bridge, the upstream IdP to make the SAML assertion. |
saml_spchain0 |
For transactions traversing a Proxy or Bridge, the last SP to request the SAML assertion. |
saml_spchain1 |
For transactions traversing a Proxy or Bridge, the downstream SP that requested the SAML assertion. |
eppn |
The eduPersonPrincipalName attribute associated with the assertion. If blank, was not part of the assertion. |
|
The mail attribute associated with the assertion. If blank, was not part of the assertion. |
uid |
The uid attribute associated with the assertion. If blank, was not part of the assertion. |
© Copyright Cirrus Identity, Inc.
Blog comments