/
WebAuthnAuditLogging

WebAuthnAuditLogging

Owned by Philip Smart
Last updated: Jan 14, 2025
2 min read

Authentication Auditing

Authentication auditing can be enabled on the plugin by setting the idp.authn.webauthn.audit.enabled property to true. You’ll also need to enable general authentication audit logging on the IdP using the property idp.authn.audit.enabled in /conf/authn.properties.

Audit Format

The default audit format is shown below (the fields are described in the table underneath).

%a|%T|%SP|%I|%s|%AF|%CV|%u|%WebAuthnUID|%WebAuthnUV|%WebAuthnFM|%tu|%AR|%UA

The audit format can be adjusted by changing the idp.authn.webauthn.audit.format property. The category used for logging can be adjusted by setting the idp.authn.webauthn.audit.category property.

Audit Logging Fields

Fields unique to the WebAuthn plugin are listed below. The others are taken from the usual AuditLogginConfiguration.

Field

Description

Field

Description

WebAuthnUID

The WebAuthn ID of the user (user.id)

WebAuthnUV

Was the currently authenticated user verified by the authenticator

WebAuthnFM

Which authentication mode produce the final result e.g. ‘passwordless’, ‘usernameless’, or ‘2FA’.

Registration Auditing

Registration auditing can be enabled on the plugin by setting the idp.authn.webauthn.registration.audit.enabled property to true.

Audit Format

The default audit format is shown below (the fields are described in the table underneath).

%a|%T|%u|%WebAuthnAdminAO|%WebAuthnAdminAction|%WebAuthnAdminCR|%WebAuthnAdminCA|%WebAuthnAdminAU|%UA

The audit format can be adjusted by changing the idp.authn.webauthn.registration.audit.format property. The category used for logging can be adjusted by setting the idp.authn.webauthn.registration.audit.category property.

Audit Logging Fields

Fields unique to the WebAuthn plugin are listed below. The others are taken from the usual AuditLogginConfiguration.

Field

Description

Field

Description

WebAuthnAdminAO

An admin action’s outcome. Typically ‘success’ or ‘failure'.

WebAuthnAdminAction

The type of admin action performed. For example, ‘credential-added’, or ‘credential-removed’.

WebAuthnAdminCR

The ID of the credential that was removed

WebAuthnAdminCA

The ID of the credential that was added

WebAuthnAdminAU

The principal name of the user the admin action was performed on.

Credential Management Auditing

Credential management auditing can be enabled on the plugin by setting the idp.authn.webauthn.registration.audit.enabled property to true.

Audit Format

The default audit format is shown below.

%a|%T|%u|%WebAuthnAdminAO|%WebAuthnAdminAction|%WebAuthnAdminCR|%WebAuthnAdminAU|%UA

The audit format can be adjusted by changing the idp.authn.webauthn.admin.management.audit.format property. The category used for logging can be adjusted by setting the idp.authn.webauthn.admin.management.audit.category property.

Audit Logging Fields

These are the same as the registration auditing table above.

Related pages

WebAuthnAuthentication
WebAuthnAuthentication
Identity Provider Plugins
Read with this
WebAuthnAuthnConfiguration
WebAuthnAuthnConfiguration
Identity Provider Plugins
Read with this
WebAuthnRegistration
WebAuthnRegistration
Identity Provider Plugins
Read with this
WebAuthnMetadata
WebAuthnMetadata
Identity Provider Plugins
Read with this
AuditLoggingConfiguration
AuditLoggingConfiguration
Identity Provider 5
Read with this
WebAuthnCredentialRepository
WebAuthnCredentialRepository
Identity Provider Plugins
Read with this