WebAuthnAuditLogging
- Philip Smart
Authentication Auditing
Authentication auditing can be enabled on the plugin by setting the idp.authn.webauthn.audit.enabled property to true. You’ll also need to enable general authentication audit logging on the IdP using the property idp.authn.audit.enabled in /conf/authn.properties.
Audit Format
The default audit format is shown below (the fields are described in the table underneath).
%a|%T|%SP|%I|%s|%AF|%CV|%u|%WebAuthnUID|%WebAuthnUV|%WebAuthnFM|%tu|%AR|%UAThe audit format can be adjusted by changing the idp.authn.webauthn.audit.format property. The category used for logging can be adjusted by setting the idp.authn.webauthn.audit.category property.
Audit Logging Fields
Fields unique to the WebAuthn plugin are listed below. The others are taken from the usual AuditLogginConfiguration.
Field | Description |
|---|---|
WebAuthnUID | The WebAuthn ID of the user (user.id) |
WebAuthnUV | Was the currently authenticated user verified by the authenticator |
WebAuthnFM | Which authentication mode produce the final result e.g. ‘passwordless’, ‘usernameless’, or ‘2FA’. |
Registration Auditing
Registration auditing can be enabled on the plugin by setting the idp.authn.webauthn.registration.audit.enabled property to true.
Audit Format
The default audit format is shown below (the fields are described in the table underneath).
%a|%T|%u|%WebAuthnAdminAO|%WebAuthnAdminAction|%WebAuthnAdminCR|%WebAuthnAdminCA|%WebAuthnAdminAU|%UAThe audit format can be adjusted by changing the idp.authn.webauthn.registration.audit.format property. The category used for logging can be adjusted by setting the idp.authn.webauthn.registration.audit.category property.
Audit Logging Fields
Fields unique to the WebAuthn plugin are listed below. The others are taken from the usual AuditLogginConfiguration.
Field | Description |
|---|---|
WebAuthnAdminAO | An admin action’s outcome. Typically ‘success’ or ‘failure'. |
WebAuthnAdminAction | The type of admin action performed. For example, ‘credential-added’, or ‘credential-removed’. |
WebAuthnAdminCR | The ID of the credential that was removed |
WebAuthnAdminCA | The ID of the credential that was added |
WebAuthnAdminAU | The principal name of the user the admin action was performed on. |
Credential Management Auditing
Credential management auditing can be enabled on the plugin by setting the idp.authn.webauthn.registration.audit.enabled property to true.
Audit Format
The default audit format is shown below.
%a|%T|%u|%WebAuthnAdminAO|%WebAuthnAdminAction|%WebAuthnAdminCR|%WebAuthnAdminAU|%UAThe audit format can be adjusted by changing the idp.authn.webauthn.admin.management.audit.format property. The category used for logging can be adjusted by setting the idp.authn.webauthn.admin.management.audit.category property.
Audit Logging Fields
These are the same as the registration auditing table above.