5.10 Authentication Management Events

XDASv1 specified authentication as a modification of session attributes. XDASv2 makes authentication a first class event because authentication is critical to an audit.

Table 5-10 Authentication Events Taxonomy

Event Names

Event Identifier

eDirectory Events

Description

Use

Authenticate Session

0.0.11.0

DSE_LDAP_BIND

DSE_LDAP_BINDRESPONSE

DSE_LOGIN

A new identity is associated with a session

When a user authenticates a session, a new identity is associated with that session. This identity is then used to authorize requests for protected resources.

Unauthenticate Session

0.0.11.1

DSE_LDAP_UNBIND

A user has actively disassociated his identity from an existing authenticate session.

When a user clicks the “Logout” button on his or her web browser, the previously authenticated identity is removed from an existing authenticated session.

Create Access Token

0.0.11.4

DSE_ALLOW_LOGIN

DSE_GEN_CA_KEYS

DSE_RECERT_PUB_KEY

A SAMLv2, WS-*, OAuth, or other access token was provided upon request.

A resource access token was created by a service (or identity) provider to send to a service consumer. Access is limited by time frame, specifically requested resources, or other limiting criteria, in terms of a contract specified by previously agreed upon name/value pairs in the token. The act of creating and sending an access token is the start of a new pseudo-identity with limited and specific rights to protected resources. This pseudo-identity can be used as a correlation identifier between this and future authorization events. The actually identity of the system user behind the access token may or may not be hidden from the consumer.

5.10.1 Examples for Authentication Event

The following sections include examples for authentication events.

Authenticate Session

Click Authenticate Session to generate an event when a user authenticates a session, a new identity is associated with that session, as shown in the following example:

Jan 08 10:11:50 eDirectory : INFO {"Source" : "eDirectory#DS","Observer" : {"Account" : {"Domain" : "MYTREE","Name" : "CN=SRV1,O=mycom"},"Entity" : {"SysAddr" : "100.1.2.164","SysName" : "SLES11-SP2-164"}},"Initiator" : {"Account" : {"Name" : "CN=admin,O=mycom","Id" : "32809"},"Entity" : {"SysAddr" : "100.1.2.164:54162"},"Assertions" : {"NetAddress" : "100.1.2.164","NullPassword" : "FALSE","bindery login" : "FALSE"}},"Target" : {"Data" : {"ClassName" : "User","Name" : "CN=SRV1,O=mycom"}},"Action" : {"Event" : {"Id" : "0.0.11.0","Name" : "AUTHENTICATE_SESSION","CorrelationID" : "eDirectory#25#","SubEvent" : "DSE_LOGIN"},"Time" : {"Offset" : 1389847310},"Log" : {"Severity" : 7},"Outcome" : "0","ExtendedOutcome" : "0"}} 

Unauthenticate Session

Click Unauthenticate Session to generate an event when a user authenticates a session, a new identity is associated with that session, as shown in the following example:

Jan 08 10:20:26 eDirectory : INFO {"Source" : "eDirectory#LDAP","Observer" : {"Account" : {"Domain" : "MYTREE","Name" : "CN=SRV1,O=mycom"},"Entity" : {"SysAddr" : "100.1.2.164","SysName" : "SLES11-SP2-164"}},"Initiator" : {"Account" : {"Name" : "cn=admin,o=mycom"},"Entity" : {"SysAddr" : "164.99.136.142:42181"},"Assertions" : {"msgID" : "54","netAddress" : "164.99.136.142:50596","operationTime" : "01/16/14 10:20:26"}},"Target" : {"Data" : {"connection" : "231405696"}},"Action" : {"Event" : {"Id" : "0.0.11.1","Name" : "UNAUTHENTICATE_SESSION","CorrelationID" : "eDirectory#4294967295#","SubEvent" : "DSE_LDAP_UNBIND"},"Time" : {"Offset" : 1389847826},"Log" : {"Severity" : 7},"Outcome" : "0","ExtendedOutcome" : "0"}} 

Create Access Token

Click Create Access Token to generate an event when a a resource access token is created by a service (or identity) provider to send to a service consumer, as shown in the following example:

Jan 08 10:18:34 eDirectory : INFO {"Source" : "eDirectory#DS","Observer" : {"Account" : {"Domain" : "MYTREE","Name" : "CN=SRV1,O=mycom"},"Entity" : {"SysAddr" : "100.1.2.164","SysName" : "SLES11-SP2-164"}},"Initiator" : {"Account" : {"Domain" : "MYTREE"},"Entity" : {"SysAddr" : "0.0.0.0:0"}},"Target" : {"Data" : {"ClassName" : "NCP Server","Name" : "CN=SRV1,O=mycom"}},"Action" : {"Event" : {"Id" : "0.0.11.4","Name" : "CREATE_ACCESS_TOKEN","CorrelationID" : "eDirectory#0#","SubEvent" : "DSE_ALLOW_LOGIN"},"Time" : {"Offset" : 1389847714},"Log" : {"Severity" : 7},"Outcome" : "0","ExtendedOutcome" : "0"}}