IBM_SECURITY_FEDERATION events

This event type is generated when a federation event occurs. An IBM_SECURITY_FEDERATION event is generated by the following actions:

• When a user identity mapping is created, that is, when a user is federated.
• When a user consents to federate.
• When a user identity mapping is deleted, that is, when a user is de-federated.
• When a user mapping is updated, for example, an RNI operation.

The following table lists the elements that can be shown in the output of an IBM_SECURITY_FEDERATION event.

Element	Description
action	The type of federation action: CreateMapping ConsentToFederate DeleteMapping UpdateMapping The XPath is: CommonBaseEvent/extendedDataElements [@name='action']/values
messageAction	The type of action associated with the message.The XPath is: CommonBaseEvent/extendedDataElements [@name='messageAction']/values
partner	Partner that sends or receives the message.The XPath is: CommonBaseEvent/extendedDataElements [@name='partner']/values
profile	Profile within the federation.The XPath is: CommonBaseEvent/extendedDataElements [@name='profile']/values
protocolName	The type of federation protocol.The XPath is: CommonBaseEvent/extendedDataElements [@name='protocolName']/values
role	The role the audit generating component takes.The XPath is: CommonBaseEvent/extendedDataElements [@name='role']/values
userInfo.appUserName	Information about the user who is performing this operation.The XPath is: CommonBaseEvent/extendedDataElements [@name='userInfoList']/children[1]/children[@name='appUserName']/values

Action-dependent additional attributes

Depending on the type of federation event action, the following attributes are available:

Action	Additional attributes	Description
CreateMapping	selfAlias	If a self alias is set for the user, then this attribute shows that value.The XPath for the attribute name is: CommonBaseEvent/extendedDataElements [@name='attributes']/ children [@name='attribute']/children [@name='name']/values [contains(.,'consentToFederate')] /../../children [@name='value']/values The XPath for the attribute value is: CommonBaseEvent/extendedDataElements [@name='attributes']/ children [@name='attribute']/children [@name='name']/values [contains(.,'selfAlias')] /../../children [@name='value']/values
partnerAlias	If a partner alias is set for the user, then this attribute shows that value.The XPath for the attribute name is: CommonBaseEvent/extendedDataElements [@name='attributes']/ children [@name='attribute']/children [@name='name']/values [contains(.,'partnerAlias')] The XPath for the attribute value is: CommonBaseEvent/extendedDataElements [@name='attributes']/ children [@name='attribute']/children [@name='name']/values [contains(.,'partnerAlias')] /../../children [@name='value']/values
ConsentToFederate	ConsentToFederate	This attribute specifies whether the user consented to federate. This event applies to Liberty and SAML20 protocol flows.The XPath for the attribute name is: CommonBaseEvent/extendedDataElements [@name='attributes']/ children [@name='attribute'/children [@name='name']/values [contains(.,'consentToFederate')] The XPath for the attribute value is: CommonBaseEvent/extendedDataElements [@name='attributes']/ children [@name='attribute']/children [@name='name']/values [contains(.,'consentToFederate')] /../../children [@name='value']/values
DeleteMapping	None	None
UpdateMapping	selfAlias	If a self alias is set for the user, then this attribute shows the updated value.The XPath for the attribute name is: CommonBaseEvent/extendedDataElements [@name='attributes']/ children [@name='attribute']/children [@name='name']/values [contains(.,'consentToFederate')] /../../children [@name='value']/values The XPath for the attribute value is: CommonBaseEvent/extendedDataElements [@name='attributes']/ children [@name='attribute']/children [@name='name']/values [contains(.,'selfAlias')] /../../children [@name='value']/values
partnerAlias	If a partner alias is set for the user, then this attribute shows the updated value.The XPath for the attribute name is: CommonBaseEvent/extendedDataElements [@name='attributes']/ children [@name='attribute']/children [@name='name']/values [contains(.,'partnerAlias')] The XPath for the attribute value is: CommonBaseEvent/extendedDataElements [@name='attributes']/ children [@name='attribute']/children [@name='name']/values [contains(.,'partnerAlias')] /../../children [@name='value']/values

Sample of a IBM_SECURITY_FEDERATION event

The following example shows an IBM_SECURITY_FEDERATION event:

<CommonBaseEvent 
 creationTime="2006-04-05T20:09:41.983Z" 
 extensionName="IBM_SECURITY_FEDERATION" 
 globalInstanceId="CE11DAC4E01E4BBF50E69681063F1AA1AF" 
 sequenceNumber="7" 
 version="1.0.1">
 <extendedDataElements name="action" type="string">
  <values>DeleteMapping</values>
 </extendedDataElements>
 <extendedDataElements name="partner" type="string">
  <values>https://sp:444/FIM/sps/saml20-sp/saml20</values>
 </extendedDataElements>
 <extendedDataElements name="relayState" type="string">
  <values>Not Available</values>
 </extendedDataElements>
 <extendedDataElements name="outcome" type="noValue">
  <children name="majorStatus" type="int"><values>0</values></children>
  <children name="result" type="string"><values>SUCCESSFUL</values></children>
 </extendedDataElements>
 <extendedDataElements name="clientInfo" type="boolean">
  <values>false</values>
 </extendedDataElements>
 <extendedDataElements name="role" type="string">
  <values>IP</values>
 </extendedDataElements>
 <extendedDataElements name="messageAction" type="string">
  <values>RECEIVED</values>
 </extendedDataElements>
 <extendedDataElements name="profile" type="string">
  <values>urn:oasis:names:tc:SAML:2.0:profiles:SSO:nameid-mgmt</values>
 </extendedDataElements>
 <extendedDataElements name="protocolName" type="string">
  <values>urn:oasis:names:tc:SAML:2.0:protocol</values>
 </extendedDataElements>
 <extendedDataElements name="userInfoList" type="noValue">
  <children name="userInfo" type="noValue">
   <children name="appUserName" type="string"><values>Elain</values></children>
   <children name="registryUserName" type="string">
    <values>Not Available</values></children>
  </children>
 </extendedDataElements>
<sourceComponentId 
 application="IBM Security Verify Access" 
 component="Authentication and Federated Identity" 
 componentIdType="ProductName" 
 executionEnvironment="Linux[x86]#2.4.21-4.EL" 
 location="fimtest.myco.com" 
 locationType="FQHostname" 
 subComponent=
"com.tivoli.am.fim.saml20.protocol.actions.nimgmt.
 SAML20ProcessManageNameIDMessageAction" 
 threadId="WebContainer : 1" 
 componentType="http://www.ibm.com/namespaces/autonomic/Tivoli_componentTypes"/>
 <situation categoryName="ReportSituation">
   <situationType xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
                  xsi:type="ReportSituation" 
                  reasoningScope="INTERNAL" 
                  reportCatagory="SECURITY"/>
  </situation>
</CommonBaseEvent>

Parent topic: Audit Federation