question

Spenserq-8118 avatar image
0 Votes"
Spenserq-8118 asked ·

ADFS - possibility to determine to which application user has logged in

Hello,

In our environment we use ADFS for authentication to various applications and we would like to have report about how many users logged in through ADFS to specific application.

On basic logging level I was able to find only events 4624 and 4648 about that ADFS service account logon on User account.

On verbose logging level I can see events like 1200 or 1202 where we have information about user ID, but there is still no information to which application user login. There is also IP address, but in our case it is address of load balancer.

Is there any option to determine for which application user login through ADFS?

Thanks, for any help

adfs
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

piaudonn avatar image
0 Votes"
piaudonn answered ·

This is an example of the event 1200:

 The Federation Service issued a valid token. See XML for details. 
    
 Activity ID: 9d4acd9f-c9ee-495e-0e00-0080000000d5 
    
 Additional Data 
 XML: <?xml version="1.0" encoding="utf-16"?>
 <AuditBase xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="AppTokenAudit">
   <AuditType>AppToken</AuditType>
   <AuditResult>Success</AuditResult>
   <FailureType>None</FailureType>
   <ErrorCode>N/A</ErrorCode>
   <ContextComponents>
     <Component xsi:type="ResourceAuditComponent">
       <RelyingParty>urn:microsoft:adfs:claimsxray</RelyingParty>
       <ClaimsProvider>AD AUTHORITY</ClaimsProvider>
       <UserId>V\piaudonnmsdn</UserId>
     </Component>
     <Component xsi:type="AuthNAuditComponent">
       <PrimaryAuth>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</PrimaryAuth>
       <DeviceAuth>false</DeviceAuth>
       <DeviceId>N/A</DeviceId>
       <MfaPerformed>false</MfaPerformed>
       <MfaMethod>N/A</MfaMethod>
       <TokenBindingProvidedId>true</TokenBindingProvidedId>
       <TokenBindingReferredId>false</TokenBindingReferredId>
       <SsoBindingValidationLevel>TokenBoundAndValid</SsoBindingValidationLevel>
     </Component>
     <Component xsi:type="ProtocolAuditComponent">
       <OAuthClientId>N/A</OAuthClientId>
       <OAuthGrant>N/A</OAuthGrant>
     </Component>
     <Component xsi:type="RequestAuditComponent">
       <Server>http://sts.verenatex.com/adfs/services/trust</Server>
       <AuthProtocol>WSFederation</AuthProtocol>
       <NetworkLocation>Intranet</NetworkLocation>
       <IpAddress>10.0.1.8</IpAddress>
       <ForwardedIpAddress />
       <ProxyIpAddress>N/A</ProxyIpAddress>
       <NetworkIpAddress>N/A</NetworkIpAddress>
       <ProxyServer>N/A</ProxyServer>
       <UserAgentString>Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; Touch; .NET4.0C; .NET4.0E)</UserAgentString>
       <Endpoint>/adfs/ls</Endpoint>
     </Component>
   </ContextComponents>
 </AuditBase>

You an see there is a relying trust section "<RelyingParty>urn:microsoft:adfs:claimsxray</RelyingParty>". Don't you have it in your events?

For the load balancer IP, it depends on your implementation. Do you use WAP servers? Are your load balancer doing NAT?

· Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Spenserq-8118 avatar image
0 Votes"
Spenserq-8118 answered ·

Hello @piaudonn,

Thanks for your quick answer.

Yes we use WAP servers, but for question about doing NAT on load balancers I don't know answer.
I quickly check logs and in <RelyingParty> I can find only 2 values:

So unfortunately this is not what I'm looking for, because I can't determine if user authenticated to application ABC or DEF.
Do you have any other idea how I could solve that problem?



· Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

piaudonn avatar image
0 Votes"
piaudonn answered ·

urn:federation:MicrosoftOnline
microsoft:identityserver:XXXX.coupahost.com

are the identifiers of the relying parties. This is the information you are looking for (maybe not the format you want). You can see the identifiers from the ADFS admin console or in PowerShell in the output of Get-ADFSRelyingPartyTrust.

· Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.