Create report to audit authentications per service and authentication method

This document is written for PhenixID Server.

The reader should have some basic knowledge about PhenixID Server.

This document describes how to create a report to view authentications per service (application) and/or authentication method.

The solution contains two steps:

1. Add custom event logging to configured authenticators

2. Create custom report.

Add custom event logging to configured authenticators

- Login to Configuration Manager

- Locate the authenticator

- Get the pipeID value for the authenticator

- Locate the pipe

- Add an event valve to the pipe. Place the event valve last in the pipe.

Configuration example

This pipe is connected to a SAML authenticator (username, password, otp).

 

{  
   "id":"otpValidator",
   "valves":[  
      {  
         "name":"SessionLoadValve",
         "config":{  
            "id":"{{request.session_id}}"
         }
      },
      {  
         "name":"OTPValidationValve",
         "config":{  
            "provided_otp_param_name":"{{request.otp}}",
            "generated_otp_param_name":"generated_otp"
         }
      },
      {  
         "name":"LDAPSearchValve",
         "config":{  
            "connection_ref":"MyAD",
            "base_dn":"ou=demo,DC=demo,DC=phenixid,DC=net",
            "scope":"SUB",
            "size_limit":"0",
            "filter_template":"(&(objectClass=user)(samaccountname={{request.username}}))",
            "attributes":"mail"
         }
      },
      {  
         "name":"AssertionProvider",
         "config":{  
            "targetEntityID":"MyIDP",
            "nameIDAttribute":"mail",
            "misc":{  
               "excludeSubjectNotBefore":"true"
            }
         }
      },
      {  
         "name":"AuthnRequestDecoder",
         "config":{  
         }
      },
      {  
         "name":"EventValve",
         "config":{  
            "event_key":"EVT_000052",
            "parameters":[  
               {  
                  "parameter":"requestMethod",
                  "value":"Username-Password-OTP"
               },
               {  
                  "parameter":"duser",
                  "value":"{{request.username}}"
               },
               {  
                  "parameter":"destinationServiceName",
                  "value":"{{item.issuer}}"
               },
               {  
                  "parameter":"proto",
                  "value":"SAML"
               }
            ]
         }
      }
   ]
}

Create custom report

Follow this guide to create a custom report. Use these values for the report.

{
    "displayName": "View all authentications",
    "category":"Authentication",
    "description": "Shows every authentication",
    "query": "select from event where eventID ='EVT_000052'"
}

Display report

Login to Configuration Manager

Click Reports

Navigate to Authentication->View all authentications

All authentications are now displayed

Export data to Excel for advanced filtering and categorizing.