IBM_SECURITY_RUNTIME events (SAML2 message transmission)

This event type is generated when transmitting SAML2 authentication request and response messages. The following table lists the elements that can be shown in the output of an IBM_SECURITY_RUNTIME event.

Element	XPath
type	CommonBaseEvent/extendedDataElements [@name='resourceInfo']/children [@name='type']/values
action	CommonBaseEvent/extendedDataElements [@name='action']/values
MessageContent	CommonBaseEvent/extendedDataElements [@name='MessageContent']/values

Samples of IBM_SECURITY_RUNTIME events

The following example shows an events generated by a runtime request.

<CommonBaseEvent creationTime="2016-09-13T02:54:22.612Z" 
    extensionName="IBM_SECURITY_RUNTIME" 
    globalInstanceId="FIM2177819501571d34a705ed4ca920c" 
    sequenceNumber="10" version="1.1">

    <contextDataElements name="Security Event Factory" type="eventTrailId">
        <contextId>FIM_2177814701571a92875fed4ca920ca5a+1206972288</contextId>
    </contextDataElements>
    
    <extendedDataElements name="MessageContent" type="string">
        <values><samlp:AuthnRequest 
            xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" 
            xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" 
            AssertionConsumerServiceURL="https://sp-wga/isam/sps/saml20sp/saml20/login" 
            Destination="https://ip-wga/isam/sps/saml20ip/saml20/login" 
            ForceAuthn="false" 
            ID="FIMREQ_217780c5-0157-1645-a617-f796a7dfc338" 
            IsPassive="false" 
            IssueInstant="2016-09-13T02:54:22Z" 
            ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" 
            Version="2.0">

                <saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">
                    https://sp-wga/isam/sps/saml20sp/saml20
                </saml:Issuer>
                <samlp:NameIDPolicy AllowCreate="false" 
                    Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">
                </samlp:NameIDPolicy>

        </samlp:AuthnRequest></values>
    </extendedDataElements>
    
    <extendedDataElements name="action" type="string">
        <values>Received</values>
    </extendedDataElements>
    
    <extendedDataElements name="resourceInfo" type="noValue">
        <children name="nameInApp" type="string">
            <values/>
        </children>
        <children name="nameInPolicy" type="string">
            <values/>
        </children>
        <children name="type" type="string">
            <values>Saml20AuthnRequest</values>
        </children>
    </extendedDataElements>
    
    <extendedDataElements name="outcome" type="noValue">
        <children name="result" type="string">
            <values>SUCCESSFUL</values>
        </children>
        <children name="majorStatus" type="int">
        <values>0</values>
        </children>
    </extendedDataElements>

    <sourceComponentId application="IBM Security Verify Access" 
        component="Authentication and Federated Identity" componentIdType="ProductName" 
        executionEnvironment="Linux[amd64]#2.6.32-279.14.1.91.iss7_3.x86_64" 
        location="ip" locationType="FQHostname" 
        subComponent="com.tivoli.am.fim.saml20.protocol.actions.sso.SAML20ValidateAuthnRequestAction" 
        threadId="Default Executor-thread-61" 
        componentType="http://www.ibm.com/namespaces/autonomic/Tivoli_componentTypes"/>
    
    <situation categoryName="ReportSituation">
        <situationType xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
            xsi:type="ReportSituation" reasoningScope="INTERNAL" reportCategory="SECURITY"/>
    </situation>

</CommonBaseEvent>

Parent topic: Audit Federation