IBM_SECURITY_AUTHN_events
This event type is generated by the authentication service when it authenticates a user accessing a protected resource. The following table lists the elements that can be shown in the output of an IBM_SECURITY_AUTHN event. All elements are included in the output, unless indicated otherwise.
Element Description action Optionally specifies the HTTP method on the requested resource or the operation that is performed by the provider of the authentication service.The XPath is: CommonBaseEvent/extendedDataElements [@name='action']/values
authnProvider Provider of the authentication service. Sample data: com.tivoli.am.fim.authsvc.protocol.delegate.AuthSvcDelegate com.tivoli.am.fim.authsvc.action.authenticator.hotp.HOTPAuthnticator The XPath is:
CommonBaseEvent/extendedDataElements [@name='authnProvider']/values
authnScope Optionally specifies the transaction identifier of the authentication policy. Sample data: 94434b2a-748e-42fe-af3d-67db04aa4ba0 The XPath is:
CommonBaseEvent/extendedDataElements [@name='authnScope']/values
authnType The URI identifier of the authentication policy. Sample data: urn:ibm:security:authentication:asf:password_hotp The XPath is:
CommonBaseEvent/extendedDataElements [@name='authnType']/values
partner The authentication service does not utilize this element and will appear in the IBM_SECURITY_AUTHN event as ‘Not Available’.The XPath is: CommonBaseEvent/extendedDataElements [@name='partner']/values
progName Optionally specifies the URL of the requested resource. Sample data: http://www.example.com The XPath is:
CommonBaseEvent/extendedDataElements [@name='progName']/values
tokenType The authentication service does not utilize this element and will appear in the IBM_SECURITY_AUTHN event as ‘Not Available’.The XPath is: CommonBaseEvent/extendedDataElements [@name='tokenType']/values
trustRelationship The authentication service does not utilize this element and will appear in the IBM_SECURITY_AUTHN event as 'Not Available’.The XPath is: CommonBaseEvent/extendedDataElements [@name='trustRelationship']/values
userInfo.appUserName Optionally specifies information about the user who is authenticating.The XPath is: CommonBaseEvent/extendedDataElements [@name='userInfoList']/children[1]/children [@name='appUserName']/values
userInfo.attributes Optionally specifies the following types of additional information about user data audited during authentication:
- licenseFileMetadata
- Metadata that is defined in the license agreement.
- licenseFileName
- The license file name.
- userAction
- The action the user takes when the End-User License Agreement authentication mechanism presents the license agreement. The user can accept the license agreement or decline the license agreement.
The XPath is:
CommonBaseEvent/extendedDataElements [@name='userInfoList']/children [@name='userInfo'] /children [@name='attributes']/children
xmlTokenType The authentication service does not utilize this element and will appear in the IBM_SECURITY_AUTHN event as ‘Not Available’.The XPath is: CommonBaseEvent/extendedDataElements [@name='xmlTokenType']/values
Sample of an IBM_SECURITY_AUTHN event
The following example shows one event generated by the runtime for a two-factor authentication policy requiring both username password and one-time password authentications:<CommonBaseEvent creationTime="2014-02-15T18:50:05.026Z" extensionName="IBM_SECURITY_AUTHN" globalInstanceId="FIM36e24f6301441708947ceef443526" sequenceNumber="2" version="1.1"> <contextDataElements name="Security Event Factory" type="eventTrailId"> <contextId>FIM_36e24f62014415f59913eef443526e68+1246005647</contextId> </contextDataElements> <extendedDataElements name="userInfoList" type="noValue"> <children name="userInfo" type="noValue"> <children name="registryUserName" type="string"> <values>Not Available</values> </children> <children name="appUserName" type="string"> <values>test_user</values> </children> </children> </extendedDataElements> <extendedDataElements name="tokenType" type="string"> <values>Not Available</values> </extendedDataElements> <extendedDataElements name="authnProvider" type="string"> <values>com.tivoli.am.fim.authsvc.action.authenticator.hotp.HOTPAuthenticator</values> </extendedDataElements> <extendedDataElements name="action" type="string"> <values>verify</values> </extendedDataElements> <extendedDataElements name="authnType" type="string"> <values>urn:ibm:security:authentication:asf:password_hotp</values> </extendedDataElements> <extendedDataElements name="outcome" type="noValue"> <children name="result" type="string"> <values>SUCCESSFUL</values> </children> <children name="majorStatus" type="int"> <values>0</values> </children> </extendedDataElements> <extendedDataElements name="trustRelationship" type="string"> <values>Not Available</values> </extendedDataElements> <extendedDataElements name="progName" type="string"> <values>Not Available</values> </extendedDataElements> <extendedDataElements name="authnScope" type="string"> <values>Not Available</values> </extendedDataElements> <sourceComponentId application="IBM Security Verify Access" component="Authentication and Federated Identity" componentIdType="ProductName" executionEnvironment="Linux[amd64]#2.6.32-279.14.1.30.iss7_3.x86_64" location="example" locationType="FQHostname" subComponent="com.tivoli.am.fim.authsvc.action.authenticator.hotp.HOTPAuthenticator" threadId="Default Executor-thread-60" componentType="http://www.ibm.com/namespaces/autonomic/Tivoli_componentTypes"/> <situation categoryName="ReportSituation"> <situationType xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="ReportSituation" reasoningScope="INTERNAL" reportCategory="SECURITY"/> </situation> </CommonBaseEvent>
Parent topic: Audit Federation