Overview
SSO audit logging provides comprehensive tracking of all authentication-related events, configuration changes, and user activity. This enables security monitoring, compliance reporting, troubleshooting, and forensic analysis.Accessing audit logs
Navigate to the audit logs page in your admin dashboard:Event types
Authentication events
| Event Type | Description | Severity |
|---|---|---|
auth.login.success | Successful SSO login | Info |
auth.login.failed | Failed login attempt | Warning |
auth.logout | User logout (including RP-initiated) | Info |
auth.token.issued | Access token issued | Info |
auth.token.refreshed | Access token refreshed | Info |
auth.token.revoked | Access token revoked | Warning |
auth.session.expired | User session expired | Info |
Provider configuration events
| Event Type | Description | Severity |
|---|---|---|
provider.created | New SSO provider added | Info |
provider.updated | Provider configuration changed | Info |
provider.deleted | Provider removed | Warning |
provider.enabled | Provider enabled | Info |
provider.disabled | Provider disabled | Warning |
provider.test | Provider test login performed | Info |
User account events
| Event Type | Description | Severity |
|---|---|---|
user.created | New user account created via JIT provisioning | Info |
user.updated | User profile updated | Info |
user.suspended | User account suspended | Warning |
user.reactivated | Suspended user reactivated | Info |
user.deleted | User account deleted | Warning |
user.roles.synced | User roles synchronized from IdP | Info |
user.roles.updated | User roles manually updated | Info |
Connected account events
| Event Type | Description | Severity |
|---|---|---|
account.connected | SSO account connected to user | Info |
account.disconnected | SSO account disconnected | Warning |
account.linked | Multiple SSO accounts linked | Info |
account.unlinked | SSO accounts unlinked | Warning |
Log entry details
Each audit log entry contains:Core fields
| Field | Description |
|---|---|
| Timestamp | When the event occurred (UTC) |
| Event type | Type of event (see event types above) |
| Severity | Info, Warning, Error, or Critical |
| User | User who triggered the event (if applicable) |
| IP address | Source IP address |
| User agent | Browser/client information |
Event-specific data
| Field | Description |
|---|---|
| Provider | SSO provider involved |
| Action | Specific action performed |
| Resource | Resource affected (user, provider, etc.) |
| Changes | What changed (for update events) |
| Error message | Error details (for failed events) |
| Session ID | Session identifier |
| Request ID | Unique request identifier for correlation |
Example log entries
Successful login
Failed login attempt
Provider configuration change
Filtering and search
Search capabilities
Search audit logs using various criteria:- Text search: Search across all text fields
- User: Filter by specific user
- Provider: Filter by SSO provider
- Event type: Filter by event type
- Severity: Filter by severity level
- Date range: Filter by time period
- IP address: Filter by source IP
Advanced filters
Combine multiple filters for precise queries:Saved searches
Save frequently used search queries:1
Create search
Configure your search filters
2
Click save search
Click “Save Search” button
3
Name the search
Enter a descriptive name (e.g., “Failed Okta logins”)
4
Access saved searches
Access from the “Saved Searches” dropdown
Monitoring and alerts
Real-time monitoring
Monitor authentication events in real-time:- Live event stream
- Auto-refresh every 30 seconds
- Desktop notifications for critical events
- Sound alerts for security events
Alert configuration
Set up alerts for specific events:1
Navigate to alerts
Go to Admin → Audit Logs → Alerts
2
Create alert
Click “Create Alert”
3
Configure conditions
Set alert conditions:
- Event type
- Severity level
- Frequency threshold
- Time window
4
Configure notifications
Choose notification methods:
- Slack
- Webhook
- SMS (if configured)
5
Save alert
Save and enable the alert
Example alerts
Multiple failed login attempts
Provider configuration changes
Suspicious activity
Compliance and reporting
Compliance reports
Generate reports for compliance requirements:SOC 2 authentication report
- All authentication events
- Failed login attempts
- Account changes
- Provider configuration changes
GDPR user activity report
- All events for a specific user
- Account creation and deletion
- Data access events
- Consent changes
HIPAA access audit
- User authentication events
- Role changes
- Access to sensitive resources
- Failed access attempts
Generating reports
1
Navigate to reports
Go to Admin → Audit Logs → Reports
2
Select report type
Choose a compliance report template or create custom
3
Configure parameters
Set date range, users, providers, etc.
4
Generate report
Click “Generate Report”
5
Export report
Download as PDF, CSV, or JSON
Log retention
Retention policies
Configure how long audit logs are retained:| Tier | Retention Period | Storage |
|---|---|---|
| Standard | 90 days | Database |
| Extended | 1 year | Database + Archive |
| Compliance | 7 years | Archive storage |
Archiving
Older logs are automatically archived:- Compressed and stored in archive storage
- Searchable through archive interface
- Can be restored for investigation
- Compliant with data retention regulations
Export for long-term storage
Export logs for external archiving:1
Navigate to export
Go to Admin → Audit Logs → Export
2
Select date range
Choose the time period to export
3
Choose format
Select JSON, CSV, or JSONL format
4
Download archive
Download the compressed archive file
Security monitoring use cases
Detecting brute force attacks
Monitor for multiple failed login attempts:Identifying compromised accounts
Look for unusual login patterns:- Logins from new locations
- Logins at unusual times
- Multiple concurrent sessions
- Rapid provider switching
Tracking privilege escalation
Monitor role changes:Detecting configuration tampering
Track provider configuration changes:Troubleshooting with audit logs
Debugging authentication failures
1
Search for user
Filter logs by user email or ID
2
Find failed events
Look for
auth.login.failed events3
Review error messages
Check the error field for specific failure reasons
4
Check provider logs
Review provider-specific events around the same time
5
Verify configuration
Ensure provider configuration hasn’t changed
Investigating role issues
1
Search for user
Filter logs by user email or ID
2
Find role events
Look for
user.roles.synced and user.roles.updated events3
Review changes
Check what roles were added or removed
4
Check group mappings
Verify group-to-role mapping configuration
5
Review IdP groups
Check what groups the IdP is sending
API access to audit logs
REST API
Access audit logs programmatically:Webhook integration
Stream audit events to external systems:1
Configure webhook
Go to Admin → Audit Logs → Webhooks
2
Add endpoint
Enter your webhook URL
3
Select events
Choose which event types to send
4
Configure authentication
Set up webhook authentication (HMAC signature)
5
Test webhook
Send a test event to verify configuration
SIEM integration
Integrate with Security Information and Event Management systems:- Splunk
- Datadog
- Elastic Stack
- Azure Sentinel
- AWS CloudWatch
Best practices
Regular review
Regular review
Review audit logs regularly (daily or weekly) to identify patterns and anomalies.
Set up alerts
Set up alerts
Configure alerts for critical security events to enable rapid response.
Retain logs appropriately
Retain logs appropriately
Follow your organization’s retention policies and compliance requirements.
Protect log access
Protect log access
Restrict audit log access to authorized administrators only.
Export regularly
Export regularly
Export logs to external storage for long-term retention and disaster recovery.
Correlate events
Correlate events
Use request IDs to correlate related events across the authentication flow.