Identity provider activity

If authentication is required or optional within a policy and you assign users or groups to access control features in a policy, you can report data on IdP activity. This includes IdP sessions where a:

  • Login was attempted.
  • Login was successful.
  • Login failed.
  • A session was restarted as a result of updating a user group.

You need to be an ETP administrator or a user with a specific permission to perform the procedures in this section and view the DNS Activity report. For more information, see Roles.

📘

If a user skips authentication, ETP cannot report username and group information. This information is only recorded in the report when the user authenticates. For more information on authentication, see Authentication policy.

When navigating this report:

  • Any applied date or data filter defines the data that is shown. You can filter data based on the selected date or date range, the time of day you enter, and the actual filters applied to data on the page. You can create a filter where you include or exclude data from the listed activity.

  • By default, the data table shows session start time, location, whether authentication is required, internal client IP address, logged activity, and username for a successful login.

  • All the details for the report appear in the table. Aside from viewing this data and adding additional data points to the table, you can add data to a filter to help you review IdP activity.

If you are a delegated administrator, the data that appears on this page is based on the locations you created and are allowed to access. A strict delegated administrator cannot view the Identity Provider Activity report.

Filter identity provider activity data

To filter IdP activity data:

  1. In the Threat Protection menu of Enterprise Center, select Reports > Identity Provider Activity.

  2. To filter data based on date and time, see Filter data based on date and time.

  3. To configure and apply a filter, see Configure and apply a filter.

  4. Select a dimension or criteria to define what data is shown.

  5. To search for IdP connections that's grouped by the selected dimension, see Search for identity provider activity.

Search for identity provider activity

You can search for IdP activity in the Identity Provider Activity report. Data appears based on applied filters and the data you choose to show in the table. Search functionality is available to locate specific data in the list of activity.

To search for IdP activity:

  1. In the Threat Protection menu of Enterprise Center, select Reports > Identity Provider Activity.

  2. To filter data based on date and time, see Filter data based on date and time.

  3. To configure and apply a filter, see Configure and apply a filter.

  4. Select a dimension or criteria to define what data is shown.

  5. In the search field provided for the table, enter a criteria value. For example, if you want to show activity from a specific location, you can enter the location name in the search field. The value you enter should match a value in one of the table columns.

Add identity provider activity data to a filter

Before you begin

Configure and apply a filter.

You can add specific data from the Identity Provider Activity report to a filter.

To add IdP activity data to a filter:

  1. Make sure that you are on the Identity Provider Activity report. To go to the Identity Provider Activity report, in the Threat Protection menu of Enterprise Center, select Reports > Identity Provider Activity.

  2. Click the data value that you want to add to the filter. For example, if you want to add a location, click the location.

  3. Select one of these:

    • If you want the data to be part of the In filter, select Add to Include Filter. A value cannot be added to the Include Filter if it's already in the Exclude Filter.

    • If you want the data to be part of the Not In filter, select Add to Exclude Filter. A value cannot be added to the Exclude Filter if it's already in the Include Filter.

Add or remove data columns to the Identity Provider Activity data table

To add or remove data columns to the table that appears in the Identity Provider Activity report:

  1. In the Threat Protection menu of Enterprise Center, select Reports > Identity Provider Activity.

  2. In the Identity Provider Activity table, click the table icon. A list of attributes appear:

    1. To remove a data column, deselect an attribute.

    2. To add a data column for another attribute, select the attribute. A column for this data appears.

Download a CSV with identity provider activity

Each table shows the latest 500 connections. However, you can download a CSV file to see up to 5,000 of the most recent activity based on the filters you applied.

To download a CSV that contains IdP activity:

  1. In the Threat Protection menu of Enterprise Center, select Reports > Identity Provider Activity.

  2. Filter activity as needed:

    1. To filter data based on date and time, see Filter data based on date and time.

    2. To create a filter and add data to the filter, see Configure and apply a filter and Add identity provider activity data to a filter.

  3. To add or remove data columns to the activity table, see Add or remove data columns to the identity provider activity data table.

  4. Click Download CSV (Identity Provider Activities).

Identity provider activity details

This data appears in the Identity Provider Activity report. Some of this data appears by default. To show additional data, you can add data columns to the report. For more information, see Add or remove data columns to the identity provider activity data table.

IdP Activity Field or Detail

Description

Session Start Time

Indicates the date and time an IdP session was started or attempted to start as a result of a login, attempted login, or an update to user groups associated with an IdP.

Location

The location associated with the activity.

Authentication Required

Indicates whether authentication is required for a login.

Internal Client IP

Internal IP address of the user’s machine.

Logged Activity

Shows the IdP activity that’s logged in this report.

This activity includes:

  • **Login attempted**. Indicates when a login was attempted.
  • **Login succeeded**. Indicates when a login succeeded.
  • **Login failed**. Indicates when a login failed.
  • **User group membership was updated**. Indicates when a user group was updated in the directory associated with the IdP.

Username

Shows the username of the user who successfully logged in.

Message

Provides a message in case of a failure or a user group update, such as:

  • If there’s a failure, an error message appears
  • user groups are updated, the message indicates how many groups were updated.

Did this page help you?