XDASv1 specified authentication as a modification of session attributes. XDASv2 makes authentication a first class event because authentication is critical to an audit.
Table 5-11 Authentication Events Taxonomy
|
Event Names |
Event Identifier |
eDirectory Events |
Description |
Use |
|---|---|---|---|---|
|
Authenticate Session |
0.0.11.0 |
DSE_AUTHENTICATE |
A new identity is associated with a session |
When a user authenticates a session, a new identity is associated with that session. This identity is then used to authorize requests for protected resources. NOTE:Prior to eDirectory 8.8.8 P9, DSE_LDAP_BIND, DSE_LDAP_BINDRESPONSE and DSE_LOGIN events are used to monitor the Authenticate Session event. |
|
Unauthenticate Session |
0.0.11.1 |
DSE_LDAP_UNBIND |
A user has actively disassociated his identity from an existing authenticate session. |
When a user clicks the “Logout” button on his or her web browser, the previously authenticated identity is removed from an existing authenticated session. |
|
Create Access Token |
0.0.11.4 |
DSE_ALLOW_LOGIN DSE_GEN_CA_KEYS DSE_RECERT_PUB_KEY |
A SAMLv2, WS-*, OAuth, or other access token was provided upon request. |
A resource access token was created by a service (or identity) provider to send to a service consumer. Access is limited by time frame, specifically requested resources, or other limiting criteria, in terms of a contract specified by previously agreed upon name/value pairs in the token. The act of creating and sending an access token is the start of a new pseudo-identity with limited and specific rights to protected resources. This pseudo-identity can be used as a correlation identifier between this and future authorization events. The actually identity of the system user behind the access token may or may not be hidden from the consumer. |
NOTE:To monitor the failed login events for those login happening through NMAS, you must see the Authenticate Session in the NMAS collector.
The following sections include examples for authentication events.
Click Authenticate Session to generate an event when a user authenticates a session, a new identity is associated with that session, as shown in the following example:
Oct 28 14:36:22 eDirectory : INFO {"Source" : "eDirectory#DS","Observer" : {"Account" : {"Domain" : "TEST-902-28","Name" : "CN=SLES11SP4-192,O=novell"},"Entity" : {"SysAddr" : "100.1.2.164","SysName" : "SLES11SP4-192"}},"Initiator" : {"Account" : {"Name" : "CN=admin,O=novell","Id" : "32847"},"Entity" : {"SysAddr" : "100.1.2.164:48588"},"Assertions" : {"NetAddress" : "100.1.2.164","NullPassword" : "FALSE","bindery login" : "FALSE"}},"Target" : {"Data" : {"ClassName" : "User","Name" : "CN=SLES11SP4-192,O=novell"}},"Action" : {"Event" : {"Id" : "0.0.11.0","Name" : "AUTHENTICATE_SESSION","CorrelationID" : "eDirectory#17#","SubEvent" : "DSE_AUTHENTICATE"},"Time" : {"Offset" : 1477645582},"Log" : {"Severity" : 7},"Outcome" : "0","ExtendedOutcome" : "0"}}
Click Unauthenticate Session to generate an event when a user authenticates a session, a new identity is associated with that session, as shown in the following example:
Jan 08 10:20:26 eDirectory : INFO {"Source" : "eDirectory#LDAP","Observer" : {"Account" : {"Domain" : "MYTREE","Name" : "CN=SRV1,O=mycom"},"Entity" : {"SysAddr" : "100.1.2.164","SysName" : "SLES11-SP2-164"}},"Initiator" : {"Account" : {"Name" : "cn=admin,o=mycom"},"Entity" : {"SysAddr" : "164.99.136.142:42181"},"Assertions" : {"msgID" : "54","netAddress" : "164.99.136.142:50596","operationTime" : "01/16/14 10:20:26"}},"Target" : {"Data" : {"connection" : "231405696"}},"Action" : {"Event" : {"Id" : "0.0.11.1","Name" : "UNAUTHENTICATE_SESSION","CorrelationID" : "eDirectory#4294967295#","SubEvent" : "DSE_LDAP_UNBIND"},"Time" : {"Offset" : 1389847826},"Log" : {"Severity" : 7},"Outcome" : "0","ExtendedOutcome" : "0"}}
Click Create Access Token to generate an event when a a resource access token is created by a service (or identity) provider to send to a service consumer, as shown in the following example:
Jan 08 10:18:34 eDirectory : INFO {"Source" : "eDirectory#DS","Observer" : {"Account" : {"Domain" : "MYTREE","Name" : "CN=SRV1,O=mycom"},"Entity" : {"SysAddr" : "100.1.2.164","SysName" : "SLES11-SP2-164"}},"Initiator" : {"Account" : {"Domain" : "MYTREE"},"Entity" : {"SysAddr" : "0.0.0.0:0"}},"Target" : {"Data" : {"ClassName" : "NCP Server","Name" : "CN=SRV1,O=mycom"}},"Action" : {"Event" : {"Id" : "0.0.11.4","Name" : "CREATE_ACCESS_TOKEN","CorrelationID" : "eDirectory#0#","SubEvent" : "DSE_ALLOW_LOGIN"},"Time" : {"Offset" : 1389847714},"Log" : {"Severity" : 7},"Outcome" : "0","ExtendedOutcome" : "0"}}