When a user logs into an IDP, either for a standard reverse-proxied session to an AG or for just SAML federations etc -- the audit events should tell us the browser/client IP address. This is a crucial piece of information that is completely missing! Instead, all that is shown is the IDP's own address. There is no firewall or L4 switch in the mix here for this simple beta lab setup. Only 3 servers: standalone IDP, MAG, and AC that are on the same subnet as each other and the client browser.
Events below have been parsed by Sentinel 6.1 SP2 (also on same subnet as the NAM beta servers and browser) -- results are also the same on Sentinel 7.0 as well. They show a username of "JohnSmith" logging in and then logging out.
NAM IDP: 192.168.218.169
NAM AG: 192.168.218.224
Browser IP: 192.168.218.103 (never shows up in any audit events from IDP)
- Stefan
Events below have been parsed by Sentinel 6.1 SP2 (also on same subnet as the NAM beta servers and browser) -- results are also the same on Sentinel 7.0 as well. They show a username of "JohnSmith" logging in and then logging out.
Code:
Severity EventTime EventName Message XDASTaxonomyName XDASOutcomeName InitUserName InitUserDomain InitUserFullName InitUserDepartment EffectiveUserName InitHostName InitIP InitAssetFunction InitServicePortName TargetUserName TargetUserDomain TargetUserFullName TargetUserDepartment TargetHostName TargetIP TargetAssetFunction TargetServicePortName TargetTrustName FileName DataContext ObserverHostName ObserverIP MSSPCustomerName ReporterHostName ReporterIP
0 1/21/2012 15:32 NIDS: Logged out a local authentication AMDEVICEID#esp-73768320D7C25697: AMAUTHID#6A4BDE9482F944211989FDCDF4C86916: Logged out a local authentication. User: [cn=JohnSmith,o=Company] TimedOut: [False] XDAS_AE_TERMINATE_SESSION XDAS_OUT_SUCCESS cn=JohnSmith,o=Company 192.168.218.224 Novell Access Manager 192.168.218.224 unknown 192.168.218.224
0 1/21/2012 15:32 NIDS: Logged out an authentication that was provided to a remote consumer AMDEVICEID#esp-73768320D7C25697: AMAUTHID#6A4BDE9482F944211989FDCDF4C86916: Logged out an authentication that was provided to a remote consumer. User: [cn=JohnSmith,o=Company] TimedOut: [False] XDAS_AE_TERMINATE_SESSION XDAS_OUT_SUCCESS 192.168.218.224 Novell Access Manager cn=JohnSmith,o=Company 192.168.218.224 unknown 192.168.218.224
0 1/21/2012 15:32 NIDS: Logged out a local authentication AMDEVICEID#0881CFF5BBF0D19A: AMAUTHID#F7EC674AB8C2190B4ABE4E48FB272101: Logged out a local authentication. User: [cn=JohnSmith,o=Company] TimedOut: [False] XDAS_AE_TERMINATE_SESSION XDAS_OUT_SUCCESS cn=JohnSmith,o=Company 192.168.218.169 Novell Access Manager 192.168.218.169 unknown 192.168.218.169
0 1/21/2012 15:32 NIDS: User session was authenticated AMDEVICEID#esp-73768320D7C25697: AMAUTHID#6A4BDE9482F944211989FDCDF4C86916: User session was authenticated: [cn=JohnSmith,o=Company]. Authentication Type: [https://beta-auth-https.MyCompany.com:443/nesp/idff/metadata] Authenticating Entity Name: [null] Contract Class or Method Name: [name/password/uri] XDAS_AE_CREATE_SESSION XDAS_OUT_SUCCESS 192.168.218.224 Novell Access Manager cn=JohnSmith,o=Company metadata https://beta-auth-https.MyCompany.com:443/nesp/idff 192.168.218.224 unknown 192.168.218.224
0 1/21/2012 15:32 NIDS: Provided an authentication to a remote consumer AMDEVICEID#0881CFF5BBF0D19A: AMAUTHID#F7EC674AB8C2190B4ABE4E48FB272101: Provided an authentication to a remote consumer on behalf of user: [cn=JohnSmith,o=Company]. Authentication Type: [https://beta-idp.MyCompany.com/nidp/idff/metadata] Authenticating Entity Name: [https://beta-auth-https.MyCompany.com:443/nesp/idff/metadata] Contract Class or Method Name: [name/password/uri] XDAS_AE_CREATE_SESSION XDAS_OUT_SUCCESS 192.168.218.169 Novell Access Manager cn=JohnSmith,o=Company metadata https://beta-idp.MyCompany.com/nidp/idff 192.168.218.169 unknown 192.168.218.169
0 1/21/2012 15:32 NIDS: Roles assignment policy evaluation AMDEVICEID#0881CFF5BBF0D19A: AM#500199050: AMAUTHID#F7EC674AB8C2190B4ABE4E48FB272101: Roles assignment policy evaluaton Assigned Roles: [authenticated] Policy Action Invoked: [system-generated-action] XDAS_AE_MODIFY_SERVICE_CONFIG XDAS_OUT_SUCCESS 192.168.218.169 Novell Access Manager 192.168.218.169 unknown 192.168.218.169
0 1/21/2012 15:32 NIDS: Roles assignment policy evaluation AMDEVICEID#0881CFF5BBF0D19A: AM#500199050: AMAUTHID#F7EC674AB8C2190B4ABE4E48FB272101: Roles assignment policy evaluaton Assigned Roles: [Employee] Policy Action Invoked: [Document=(ou=xpemlPEP,ou=mastercdn,ou=ContentPublisherContainer,ou=Partition,ou=PartitionsContainer,ou=VCDN_Root,ou=accessManagerContainer,o=novell:romaContentCollectionXMLDoc),Policy=(Role_Activate),Rule=(1::RuleID_1325959794615),Action=(AddRole::Action] XDAS_AE_MODIFY_SERVICE_CONFIG XDAS_OUT_SUCCESS 192.168.218.169 Novell Access Manager 192.168.218.169 unknown 192.168.218.169
0 1/21/2012 15:32 NIDS: User session was authenticated AMDEVICEID#0881CFF5BBF0D19A: AMAUTHID#F7EC674AB8C2190B4ABE4E48FB272101: User session was authenticated: [cn=JohnSmith,o=Company]. Authentication Type: [Local] Authenticating Entity Name: [Name/Password - Form] Contract Class or Method Name: [name/password/uri] XDAS_AE_CREATE_SESSION XDAS_OUT_SUCCESS 192.168.218.169 Novell Access Manager cn=JohnSmith,o=Company Local 192.168.218.169 unknown 192.168.218.169NAM IDP: 192.168.218.169
NAM AG: 192.168.218.224
Browser IP: 192.168.218.103 (never shows up in any audit events from IDP)
- Stefan