IBM_SECURITY_FEDERATION events
This event type is generated when a federation event occurs.
An IBM_SECURITY_FEDERATION event is generated by the following
actions:
- When a user identity mapping is created, that is, when a user is federated.
- When a user consents to federate.
- When a user identity mapping is deleted, that is, when a user is de-federated.
- When a user mapping is updated, for example, an RNI operation.
The following table lists the elements that can be shown in the output of an IBM_SECURITY_FEDERATION event.
| Element | Description |
|---|---|
| action | The type of federation action:
The XPath is: |
| messageAction | The type of action that is associated with the message. The XPath
is: |
| partner | The partner that sends or receives the message. The
XPath is: |
| profile | The profile within the federation. The XPath
is: |
| protocolName | The type of federation protocol. The XPath
is: |
| role | The role that the audit generating component
takes. The XPath is: |
| userInfo.appUserName | Information about the user who is performing
this operation. The XPath is: |
Action-dependent additional attributes
Depending on the type of federation event action, the following attributes are available:| Action | Additional attributes | Description |
|---|---|---|
| CreateMapping | selfAlias | If a self alias is set for the user, then this
attribute shows that value. The XPath for the attribute name is: The XPath for the
attribute value is: |
| partnerAlias | If a partner alias is set for the user, then
this attribute shows that value. The XPath for the attribute name
is: The XPath
for the attribute value is: |
|
| ConsentToFederate | ConsentToFederate | This attribute specifies whether the user consented
to federate. This event applies to Liberty and SAML20 protocol flows. The
XPath for the attribute name is: The
XPath for the attribute value is: |
| DeleteMapping | None | None |
| UpdateMapping | selfAlias | If a self alias is set for the user, then this
attribute shows the updated value. The XPath for the attribute name
is: The XPath for the
attribute value is: |
| partnerAlias | If a partner alias is set for the user, then
this attribute shows the updated value. The XPath for the attribute
name is: The XPath
for the attribute value is: |
Sample of a IBM_SECURITY_FEDERATION event
The following example shows an IBM_SECURITY_FEDERATION event:<CommonBaseEvent
creationTime="2006-04-05T20:09:41.983Z"
extensionName="IBM_SECURITY_FEDERATION"
globalInstanceId="CE11DAC4E01E4BBF50E69681063F1AA1AF"
sequenceNumber="7"
version="1.0.1">
<extendedDataElements name="action" type="string">
<values>DeleteMapping</values>
</extendedDataElements>
<extendedDataElements name="partner" type="string">
<values>https://sp:444/FIM/sps/saml20-sp/saml20</values>
</extendedDataElements>
<extendedDataElements name="relayState" type="string">
<values>Not Available</values>
</extendedDataElements>
<extendedDataElements name="outcome" type="noValue">
<children name="majorStatus" type="int"><values>0</values></children>
<children name="result" type="string"><values>SUCCESSFUL</values></children>
</extendedDataElements>
<extendedDataElements name="clientInfo" type="boolean">
<values>false</values>
</extendedDataElements>
<extendedDataElements name="role" type="string">
<values>IP</values>
</extendedDataElements>
<extendedDataElements name="messageAction" type="string">
<values>RECEIVED</values>
</extendedDataElements>
<extendedDataElements name="profile" type="string">
<values>urn:oasis:names:tc:SAML:2.0:profiles:SSO:nameid-mgmt</values>
</extendedDataElements>
<extendedDataElements name="protocolName" type="string">
<values>urn:oasis:names:tc:SAML:2.0:protocol</values>
</extendedDataElements>
<extendedDataElements name="userInfoList" type="noValue">
<children name="userInfo" type="noValue">
<children name="appUserName" type="string"><values>Elain</values></children>
<children name="registryUserName" type="string">
<values>Not Available</values></children>
</children>
</extendedDataElements>
<sourceComponentId
application="IBM® Verify Identity Access"
component="Authentication and Federated Identity"
componentIdType="ProductName"
executionEnvironment="Linux[x86]#2.4.21-4.EL"
location="fimtest.au.ibm.com"
locationType="FQHostname"
subComponent=
"com.tivoli.am.fim.saml20.protocol.actions.nimgmt.
SAML20ProcessManageNameIDMessageAction"
threadId="WebContainer : 1"
componentType="http://www.ibm.com/namespaces/autonomic/Tivoli_componentTypes"/>
<situation categoryName="ReportSituation">
<situationType xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="ReportSituation"
reasoningScope="INTERNAL"
reportCatagory="SECURITY"/>
</situation>
</CommonBaseEvent>