Manual Chapter :
Managing Federation reports
Applies To:
Show VersionsBIG-IQ Centralized Management
- 8.3.0, 8.2.0, 8.1.0, 8.0.0, 7.1.0
Managing Federation reports
About monitoring OAuth Authorization Server data
BIG-IQ Access users can configure managed BIG-IP devices in an Access Group to act as an OAuth authorization server or a resource server. Once you have configured an OAuth Authorization Server, you can use BIG-IQ to monitor the number of the tokens requested and generated by the OAuth Authorization Server, view the number of client applications used to access external resources, and view the number of errors the OAuth Authorization Server has encountered. You can also organize the Authorization Server Summary report by grant type or view data from a specific time period.
Use the Authorization Server Summary dashboard to troubleshoot issues with the BIG-IP device you have configured as an OAuth Authorization Server.
View and configure OAuth authorization server reports
Before BIG-IQ can display Access report data
for a managed BIG-IP device, you must first complete the following tasks:
- Add the managed BIG-IP device to the BIG-IQ Centralized Management inventory
- Discover and import the managed BIG-IP device
- Have a BIG-IQ user enable Access remote logging configuration on the managed BIG-IP device
- Admin
- Access Manager
- Access Deployer
You can use BIG-IQ Centralized Management to generate a summary report for your OAuth authorization server. Controls on this screen work together so you can fine-tune the statistics display. You may also use this workflow to revoke an OAuth token.
- Navigate to.
- At the top left of the screen, from theACCESS GROUP/DEVICESlist, either select one of the first two options (All DevicesandAll Managed Devices) or select one or more of the other options (<,Access group name><, orCluster display name><).Device name>
- All Managed DevicesIncludes all Access devices that are currently discovered.
- <Select to include all devices in the Access group.Access group name>
- <Select to include the devices in the cluster.Cluster display name>
- <Select to include the device. You can select any device fromDevice name>Managed Devices,<, orAccess group name><.Cluster display name>
- From theTIMEFRAMEmenu, specify a time frame:
- Select a predefined time period. These range fromLast hourtoLast 3 months.
- Set a custom time period. SelectBetween,After, orBefore, and click the additional fields that display the set dates and times that support your selection.
- To change the OAuth authorization server you view in this report, make a selection from theAUTHORIZATION SERVERlist.
- To change the OAuth grant type displayed on this screen, make a selection from theGRANT TYPEdropdown list. You can choose to generate a report for Resource Owner Password Credentials (ROPC) grant types, implicit grant types, or authorization code grant types.
- To save report data in a comma-separated values (CSV) file, click theCSV Reportbutton.The CSV file downloads.
- To refresh the data on this dashboard immediately, clickRefresh. To configure an automatic refresh, click the arrow next to it and then select1 minute,5 minutes, or10 minutes. You can alsoDisableautomatic refresh from this menu.
- To learn more details for the categories across the top of the page, selectTotal Access Tokens,Token Errors,Unique Users,Unique Client Apps, orIntrospection Errors. BIG-IQ displays a screen with additional metrics for this recorded category.For example, to view all token errors tha result from the authorization code request type, selectToken Errors, then view the data you are interested in under the chart titledTOP ERRORS BY REQUEST TYPE.
- To exit the nested view or to move up one level, select the breadcrumbs links at the top of the dashboard you want to navigate to.
- To add or remove metrics for token generation, on theTOKEN GENERATION REQUESTS OVER TIMEchart, click on the name of the metric that you want to remove..
- You can use the bar charts to drill down and generate a customized report. These charts areTOP 10 USERS,TOP 10 CLIENT APPS,TOP 10 RESOURCE SERVERS,TOP 10 OAUTH CLIENT IP'S,GEOLOCATION DISTRIBUTION, andUSER PLATFORM DISTRIBUTION.For example, to view data for a specific userandfor a particular OAuth client IP address, select the user you are interested in under theTOP 10 USERSdashboard, and then select the IP address under theTOP 10 OAUTH CLIENT IP'sdashboard.As you drill down, you will be able to view customized combinations of data.
- To revoke an OAuth token, drill down one level into any of the fields on the dashboard. At the bottom of the screen, select the checkbox next to the OAuth tokens you wish to revoke.
- SelectRevoke Selected Tokens, and then selectOK.
- To exit the nested view or to move up one level, select the breadcrumbs links at the top of the dashboard you want to navigate to.
What data can you monitor from the Authorization Server Summary dashboard?
Use the Authorization Server Summary dashboard to track the overall health of your OAuth server. See the notes below to learn more about each category for which you can record data.
What is on this dashboard?
Value | Functionality |
---|---|
Total Access Tokens | This chart displays the total number of access tokens by the OAuth server. |
Token Errors | This chart displays the total number token errors from the OAuth server. |
Unique Users | This chart displays the total number of unique users in the OAuth configuration. |
Unique Client Apps | This chart displays the total number of unique client applications accessed by users. |
Introspection Errors | This chart displays the total number of introspection errors in the OAuth configuration. |
TOKEN GENERATION REQUESTS OVER TIME | This line chart displays requests for token generation over time. |
TOP 10 OAUTH CLIENT IPs | This chart displays the top ten Internet service providers that use the OAuth client configuration. |
TOP 10 USERS | This chart displays the top ten users who use the OAuth authorization server. |
TOP 10 CLIENT APPS | This chart displays the top ten client applications that use the OAuth authorization server. |
USER PLATFORM DISTRIBUTION | This chart displays the platform (such as operating system or mobile device) that distributes the OAuth service. |
GEOLOCATION DISTRIBUTION | This chart displays the country from which users are accessing the OAuth resource. |
About monitoring OAuth server performance
BIG-IQ Access users can view the Authorization Server Performance screen to track the health of an OAuth authorization server. If you previously configured a managed BIG-IP device running APM as an OAuth Authorization Server, you will be able to track the health of the server from this dashboard. You can also troubleshoot issues with token generation requests, and view data for token generation organized by grant type. Controls on this screen work together so you can fine-tune the statistics display.
View and configure the OAuth server performance dashboard
Before BIG-IQ can display Access report data
for a managed BIG-IP device, you must first complete the following tasks:
- Add the managed BIG-IP device to the BIG-IQ Centralized Management inventory
- Discover and import the managed BIG-IP device
- Have a BIG-IQ user enable Access remote logging configuration on the managed BIG-IP device
- Admin
- Access Manager
- Access Deployer
The Authentication Server Summary screen shows several charts that you can use to track the health of your authorization server role. Controls on this screen work together so you can fine-tune the statistics display.
- Click.BIG-IQ opens the Authorization Server Performance screen.
- At the top left of the screen, from theACCESS GROUP/DEVICESlist, either select one of the first two options (All DevicesandAll Managed Devices) or select one or more of the other options (<,Access group name><, orCluster display name><).Device name>
- All Managed DevicesIncludes all Access devices that are currently discovered.
- <Select to include all devices in the Access group.Access group name>
- <Select to include the devices in the cluster.Cluster display name>
- <Select to include the device. You can select any device fromDevice name>Managed Devices,<, orAccess group name><.Cluster display name>
- From theTIMEFRAMEmenu, specify a time frame:
- Select a predefined time period. These range fromLast hourtoLast 3 months.
- Set a custom time period. SelectBetween,After, orBefore, and click the additional fields that display the set dates and times that support your selection.
- From theAUTHORIZATION SERVERlist, select an OAuth authorization server.
- To save report data in a comma-separated values (CSV) file, click theCSV Reportbutton.The CSV file downloads.
- To refresh the data on this dashboard immediately, clickRefresh. To configure an automatic refresh, click the arrow next to it and then select1 minute,5 minutes, or10 minutes. You can alsoDisableautomatic refresh from this menu.
- To view data for a different OAuth resource, make a selection from theResourcedropdown.
- For the line charts on this dashboard, select any of the metrics in order to remove or add each metric to the chart and view a customized data set.
What data can you monitor from the Authorization Server Performance dashboard?
The Authorization Server Performance screen shows several charts that you can use to track the health of your OAuth authorization server. See the notes below to learn more about each category for which you can record data.
What charts are on this dashboard?
Chart | Functionality |
---|---|
OVERVIEW | This chart summarizes performance statistics for requests that this OAuth authorization server processed. |
AUTH CODE GRANT | This chart displays statistics for the authorization code grants that this OAuth server processed. |
IMPLICIT GRANT | This chart displays statistics for the implicit grants that this OAuth server processed. |
ROPC GRANT | This chart displays statistics for the resource owner password credentials (ROPC) grants that this OAuth server processed. |
TOKEN INTROSPECTION | This chart displays statistics for the token introspection requests that this OAuth server processed. |
What metrics are reported in the charts in the dashboard?
Value | Definition |
---|---|
Requests | Displays the rate at which the total OAuth requests were received. |
Auth Codes Issued | Displays the rate at which the total authentication codes were received. |
Tokens Issued | Displays the rate at which the OAuth server issued tokens. |
Refresh Tokens Issued | Displays the rate at which the OAuth server issued refresh tokens for the authorization code and ROPC grant types. |
Tokens Introspected | Displays the rate at which the OAuth server processed successful token introspection requests. |
Implicit | Displays the rate at which the OAuth server processes implicit grants. |
ROPC | Displays the rate at which the OAuth server processes ROPC grants. |
Failed Requests | Displays the rate at which the OAuth server processed unsuccessful requests. |
About monitoring OAuth authorization server tokens
If you have configured a managed BIG-IP device to function as an OAuth Authorization server, you can use BIG-IQ to track the health of your OAuth tokens and view key token metrics. To do so, view the Token Summary screen. Data appears when you configure statistics collection. Controls on this screen work together so you can fine-tune the statistics display.
View and configure the OAuth token summary dashboard
Before BIG-IQ can display Access report data
for a managed BIG-IP device, you must first complete the following tasks:
- Add the managed BIG-IP device to the BIG-IQ Centralized Management inventory
- Discover and import the managed BIG-IP device
- Have a BIG-IQ user enable Access remote logging configuration on the managed BIG-IP device
- Admin
- Access Manager
- Access Deployer
The Token Summary screen shows several charts that you can use to track the health of your OAuth tokens. Data appears when you configure statistics collection. Controls on this screen work together so you can fine-tune the statistics display.
- Click.BIG-IQ opens the Token Summary screen.
- At the top left of the screen, from theACCESS GROUP/DEVICESlist, either select one of the first two options (All DevicesandAll Managed Devices) or select one or more of the other options (<,Access group name><, orCluster display name><).Device name>
- All Managed DevicesIncludes all Access devices that are currently discovered.
- <Select to include all devices in the Access group.Access group name>
- <Select to include the devices in the cluster.Cluster display name>
- <Select to include the device. You can select any device fromDevice name>Managed Devices,<, orAccess group name><.Cluster display name>
- From theTIMEFRAMEmenu, specify a time frame:
- Select a predefined time period. These range fromLast hourtoLast 3 months.
- Set a custom time period. SelectBetween,After, orBefore, and click the additional fields that display the set dates and times that support your selection.
- From theAUTHORIZATION SERVERlist, select an OAuth authorization server.
- From theGRANT TYPElist, select an OAuth grant type.
- To save report data in a comma-separated values (CSV) file, click theCSV Reportbutton.The CSV file downloads.
- To refresh the data on this dashboard immediately, clickRefresh. To configure an automatic refresh, click the arrow next to it and then select1 minute,5 minutes, or10 minutes. You can alsoDisableautomatic refresh from this menu.
- To learn more details for the categories across the top of the page, selectTotal Access Tokens,Total Refresh Errors,Revoked Tokens,Expired Access Tokens, orExpired Refresh Tokens. BIG-IQ displays a screen with additional metrics for the selected category.For example, if you are interested in viewing all expired access tokens resulting clients using Windows, selectExpired Access Tokensthen view the data for Windows under the chart titledPLATFORM DISTRIBUTION.
- To exit the nested view or to move up one level, select the breadcrumbs links at the top of the dashboard you want to navigate to.
- To filter the list of tokens, select an option from theTOKEN FILTERdropdown menu. Select one of the following: Access Tokens Issued, Access Tokens Expired, Refresh Tokens Issued, or Refresh Tokens Expired.
- To revoke an OAuth token, use the list of OAuth tokens on the mainToken Summarydashboard or drill down one level into any of the fields on the dashboard. At the bottom of the screen, select the checkbox next to the OAuth tokens you wish to revoke.
- SelectRevoke Selected Tokens, and then selectOK.
What data can you monitor from the OAuth tokens dashboard?
The Token Summary screen shows several charts that you can use to track the health of your OAuth authorization server tokens. See the notes below to learn more about each category for which you can record data.
What is on this dashboard?
Value | Functionality |
---|---|
Total Access Tokens | This chart displays the total number of access tokens in the OAuth configuration. |
Total Refresh Tokens | This chart displays the total number of refresh tokens in the OAuth configuration. |
Revoked Tokens | This chart displays the total number of tokens that were revoked by the OAuth provider. |
Expired Access Tokens | This chart displays the total number of access tokens that expired. |
Expired Refresh Tokens | This chart displays the total number of refresh tokens that expired. |
User | This field displays the name of the user using the OAuth resource. |
Client App | This field displays the name of the client application. |
Access Token Issued | This field displays the date and time that this OAuth authorization server issued the token. |
Access Token Expires | This field displays the date and time that a revoked token expired or that an active token is set to expire. |
Access Token Count | This field displays the number of access tokens. |
Access Token Status | This field displays one of these statuses:
|
Refresh Token Issued | This field displays the date and time that this OAuth authorization server issued the token. |
Refresh Token Expires | This field displays the date and time that a revoked token expired or that an active token is set to expire. |
Refresh Token Count | This field displays the number of refresh tokens. |
Refresh Token Status | This field displays the OAuth token status, Active or Revoked. |
HostName | This field displays the BIG-IP device hostname. |
Cluster | This field displays the name of the device cluster. |
User Agent | This field displays the name of the user agent. |
Grant Type | This field displays the grant type as either authcode , implicit , or ROPC . |
About monitoring OAuth client data
BIG-IQ Access users can configure a managed BIG-IP device to function as an OAuth client and resource server. With this configuration, customers can log on to using external OAuth accounts to gain access to the resources protected by the BIG-IP device provisioned with APM.
Once you have configured a BIG-IP device to act as an OAuth client, you can use BIG-IQ to monitor the health of the OAuth client. The Client Summary screen shows several charts that you can use to track the status of your OAuth client. Data appears when you configure statistics collection. Controls on this screen work together so you can fine-tune the statistics display.
From the Client Errors screen, you can view a full log of errors in the OAuth client configuration in order to troubleshoot issues with your OAuth client.
View and configure the OAuth client summary dashboard
Before BIG-IQ can display Access report data
for a managed BIG-IP device, you must first complete the following tasks:
- Add the managed BIG-IP device to the BIG-IQ Centralized Management inventory
- Discover and import the managed BIG-IP device
- Have a BIG-IQ user enable Access remote logging configuration on the managed BIG-IP device
- Admin
- Access Manager
- Access Deployer
You can use BIG-IQ to generate OAuth Client summary data. The Client Summary report shows several charts that you can use to track the health of your OAuth client. Controls on this screen work together so you can fine-tune the statistics display.
- Navigate to.
- At the top left of the screen, from theACCESS GROUP/DEVICESlist, either select one of the first two options (All DevicesandAll Managed Devices) or select one or more of the other options (<,Access group name><, orCluster display name><).Device name>
- All Managed DevicesIncludes all Access devices that are currently discovered.
- <Select to include all devices in the Access group.Access group name>
- <Select to include the devices in the cluster.Cluster display name>
- <Select to include the device. You can select any device fromDevice name>Managed Devices,<, orAccess group name><.Cluster display name>
- From theTIMEFRAMEmenu, specify a time frame:
- Select a predefined time period. These range fromLast hourtoLast 3 months.
- Set a custom time period. SelectBetween,After, orBefore, and click the additional fields that display the set dates and times that support your selection.
- To view data for a different OAuth client, make a selection from theCLIENTdropdown list.
- To view data for a different grant type, make a selection from theGRANT TYPEdropdown list.
- To save report data in a comma-separated values (CSV) file, click theCSV Reportbutton.The CSV file downloads.
- To refresh the data on this dashboard immediately, clickRefresh. To configure an automatic refresh, click the arrow next to it and then select1 minute,5 minutes, or10 minutes. You can alsoDisableautomatic refresh from this menu.
- To learn more details for the categories across the top of the page, selectToken Requests,Token Errors,Unique Users, orConnectivity Errors. BIG-IQ displays a screen with additional metrics for the select this recorded category.For example, to if you are interested in viewing all token requests initiated by a particular user, selectToken Requests, and then view the data for the user you are interested in under the chart titledTOP 10 USERS. You can continue drilling down to further customize what displays on this screen.
- To view details for a specific session, click the ID under theSession IDcolumn.
- To exit the nested view or to move up one level, select the breadcrumbs links at the top of the dashboard you want to navigate to.
- Under theOAUTH CLIENT PERFORMANCE OVER TIMEline chart, select any of the metrics in order to remove or add each metric for token generation.
- You can use the bar charts to drill down and generate a customized report. These dashboards areTOP 10 USERS,TOP 10 CLIENT IPs,TOP CLIENT PLATFORMS, andGEOLOCATION DISTRIBUTION.For example, if you wanted to view data for a specific user with requests originating from California, select the user you are interested in from under theTOP 10 USERSdashboard and then select California under theGEOLOCATION DISTRIBUTIONdashboard.You can continue drilling down further to view customized combinations of data.
- In the second level of the dashboards, you can view a list of sessions associated with OAuth client usage.
- To view details for a specific session, click the ID under theSession IDcolumn.
What data can you monitor for the OAuth Client Summary dashboard?
The Client Summary screen shows several charts that you can use to track the health of your OAuth client. Each chart displays a different category of collected data.
What charts are on this dashboard?
Chart | Functionality |
---|---|
Total Requests | This chart displays the total number of client requests in the OAuth configuration. |
Token Errors | This chart displays the total number of token errors received by the OAuth client. |
Unique Users | This chart displays the total number of unique users in the OAuth configuration. |
Connectivity Errors | This chart displays the total number of connectivity errors in the OAuth configuration. |
OAUTH CLIENT PERFORMANCE OVER TIME | This chart displays a line chart for OAuth client performances over time. |
TOP 10 USERS | This chart displays the top ten users who have used the OAuth client over the specified time period. |
TOP 10 CLIENT IPs | This chart displays the top ten Internet Service Providers that use the OAuth client configuration. |
PLATFORM DISTRIBUTION | This chart displays the platform, such as operating system or mobile device, that distributes the OAuth service. |
GEOLOCATION DISTRIBUTION | This map displays the country in which the OAuth service is located. |
View and configure OAuth client error reports
Before BIG-IQ can display Access report data
for a managed BIG-IP device, you must first complete the following tasks:
- Add the managed BIG-IP device to the BIG-IQ Centralized Management inventory
- Discover and import the managed BIG-IP device
- Have a BIG-IQ user enable Access remote logging configuration on the managed BIG-IP device
- Admin
- Access Manager
- Access Deployer
Use BIG-IQ Centralized Management to monitor OAuth client error logs. The Client Errors report shows a log of errors in the OAuth client configuration.
- Navigate to.
- At the top left of the screen, from theACCESS GROUP/DEVICESlist, either select one of the first two options (All DevicesandAll Managed Devices) or select one or more of the other options (<,Access group name><, orCluster display name><).Device name>
- All Managed DevicesIncludes all Access devices that are currently discovered.
- <Select to include all devices in the Access group.Access group name>
- <Select to include the devices in the cluster.Cluster display name>
- <Select to include the device. You can select any device fromDevice name>Managed Devices,<, orAccess group name><.Cluster display name>
- From theTIMEFRAMEmenu, specify a time frame:
- Select a predefined time period. These range fromLast hourtoLast 3 months.
- Set a custom time period. SelectBetween,After, orBefore, and click the additional fields that display the set dates and times that support your selection.
- To save report data in a comma-separated values (CSV) file, click theCSV Reportbutton.The CSV file downloads.
- To refresh the data on this dashboard immediately, clickRefresh. To configure an automatic refresh, click the arrow next to it and then select1 minute,5 minutes, or10 minutes. You can alsoDisableautomatic refresh from this menu.
- View the list of error messages in the report. To view specific session details for one of the errors, click the ID under theSession IDcolumn.
What data can you monitor in the OAuth Client Error Logs?
The Client Errors screen shows a list of errors in the OAuth client configuration. See the notes below to learn more about each field for which you can record data.
What fields are on this screen?
Field | Functionality |
---|---|
Local Time | This field displays the time and date the error message occurred. |
HostName | This field displays the hostname of the managed BIG-IP device that sent this error message. |
Session ID | Click the session ID to open the Session Details screen, displaying session details and session variables. From this screen, you can monitor log messages and customize your log message report by severity. Selecting Emergency will show only the most severe warnings, and selecting Debug will display the lowest severity messages. |
Log Level | This field displays the log level of the error message. |
Message | This field displays the error message. |
About monitoring OAuth client resource data
BIG-IQ Access users can configure a managed BIG-IP device to act as an OAuth client and resource server. Once you have done so, you can view the OAuth Resource Summary screen to track the health of your OAuth resource. Data appears when you configure statistics collection. Controls on this screen work together so you can fine-tune the statistics display.
View and configure the OAuth resource summary dashboard
Before BIG-IQ can display Access report data
for a managed BIG-IP device, you must first complete the following tasks:
- Add the managed BIG-IP device to the BIG-IQ Centralized Management inventory
- Discover and import the managed BIG-IP device
- Have a BIG-IQ user enable Access remote logging configuration on the managed BIG-IP device
- Admin
- Access Manager
- Access Deployer
Use BIG-IQ Centralized Management to generate a
summary report for your OAuth resource. The Resource Summary dashboard shows several charts
that you can use to track the health of your OAuth resource. Controls on this screen work
together so you can fine-tune the statistics display.
- Navigate to.
- At the top left of the screen, from theACCESS GROUP/DEVICESlist, either select one of the first two options (All DevicesandAll Managed Devices) or select one or more of the other options (<,Access group name><, orCluster display name><).Device name>
- All Managed DevicesIncludes all Access devices that are currently discovered.
- <Select to include all devices in the Access group.Access group name>
- <Select to include the devices in the cluster.Cluster display name>
- <Select to include the device. You can select any device fromDevice name>Managed Devices,<, orAccess group name><.Cluster display name>
- From theTIMEFRAMEmenu, specify a time frame:
- Select a predefined time period. These range fromLast hourtoLast 3 months.
- Set a custom time period. SelectBetween,After, orBefore, and click the additional fields that display the set dates and times that support your selection.
- To view data for a different OAuth resource, make a selection from theResourcedropdown.
- To save report data in a comma-separated values (CSV) file, click theCSV Reportbutton.The CSV file downloads.
- To refresh the data on this dashboard immediately, clickRefresh. To configure an automatic refresh, click the arrow next to it and then select1 minute,5 minutes, or10 minutes. You can alsoDisableautomatic refresh from this menu.
- To learn more details for the categories across the top of the page, selectToken Validation Successes,Token Validation Errors,Unique Client IPs, orConnectivity Errors. BIG-IQ displays a screen with additional metrics for the selected category.For example, to see resource usage originating from a specific client IP address, selectUnique Client IPs, then view the data for the IP address you are interested in under the chart titledTOP 10 CLIENT IPs. You can continue drilling down to view even more customized reports.
- To view details for a specific session, click the ID under theSession IDcolumn.
- To exit the nested view or to move up one level, select the breadcrumbs links at the top of the dashboard you want to navigate to.
- Under theRESOURCE SERVER PERFORMANCE OVER TIMEline chart, select any of the metrics in order to remove or add each metric to the chart for resource server performance.
- You can use the bar charts to drill down and generate a customized dashboard. These charts areTOP 10 CLIENT IPs,TOP CLIENT PLATFORMS, andGEOLOCATION DISTRIBUTION.For example, to view data for a specific client IP address with requests originating from Seattle:
- On theTOP 10 CLIENT IPschart, select the IP address you are interested in.
- On the map in theGEOLOCATION DISTRIBUTIONchart, selectSeattle.
Once you drill down, you will be able to view customized combinations of data for the selected Seattle IP address.
What data can you monitor for the OAuth Resource Summary dashboard?
The Resource Summary screen shows several charts that you can use to track the health of your OAuth resource. Each chart displays a different category of collected data.
What charts are on this dashboard?
Chart | Functionality |
---|---|
Token Validation Successes | This chart displays the total number of successful token validation by the OAuth resource server. |
Token Validation Errors | This chart displays the total number validation errors from the OAuth resource server. |
Unique Client IPs | This chart displays the total number of unique client IPs in the OAuth configuration. |
Connectivity Errors | This chart displays the total number of connectivity errors on the OAuth resource server. |
RESOURCE SERVER PERFORMANCE OVER TIME | This chart displays a line chart for resource server performances over time. |
TOP 10 CLIENT IPs | This chart displays the top ten client IP addresses that use the OAuth client configuration. |
PLATFORM DISTRIBUTION | This chart displays the operating system for the user's machine that distributes the OAuth service. |
GEOLOCATION DISTRIBUTION | This chart displays the country in which the user is located. |
About summary reports for monitoring SAML Service Providers
BIG-IQ Access users can configure a managed BIG-IP device with APM provisioned to act as a SAML service provider (SP). Once you have done so, use the SAML SP Summary dashboard to track the health of your SAML SP resource. Data appears when you configure statistics collection. Controls on this screen work together so you can fine-tune the statistics display.
View and configure the Service Provider (SP) summary report
Before BIG-IQ can display Access report data
for a managed BIG-IP device, you must first complete the following tasks:
- Add the managed BIG-IP device to the BIG-IQ Centralized Management inventory
- Discover and import the managed BIG-IP device
- Have a BIG-IQ user enable Access remote logging configuration on the managed BIG-IP device
- Admin
- Access Manager
- Access Deployer
Use BIG-IQ Centralized Management to generate a summary report for SAML Service Provider (SP) resources. The SP Summary report shows several charts that you can use to track the health of your SAML SP resource. Controls on this screen work together so you can fine-tune the statistics display.
- Navigate to.
- At the top left of the screen, from theACCESS GROUP/DEVICESlist, either select one of the first two options (All DevicesandAll Managed Devices) or select one or more of the other options (<,Access group name><, orCluster display name><).Device name>
- All Managed DevicesIncludes all Access devices that are currently discovered.
- <Select to include all devices in the Access group.Access group name>
- <Select to include the devices in the cluster.Cluster display name>
- <Select to include the device. You can select any device fromDevice name>Managed Devices,<, orAccess group name><.Cluster display name>
- From theTIMEFRAMEmenu, specify a time frame:
- Select a predefined time period. These range fromLast hourtoLast 3 months.
- Set a custom time period. SelectBetween,After, orBefore, and click the additional fields that display the set dates and times that support your selection.
- To view data for a different SAML service provider, make a selection from theSPdropdown list.
- To save report data in a comma-separated values (CSV) file, click theCSV Reportbutton.The CSV file downloads.
- To refresh the data on this dashboard immediately, clickRefresh. To configure an automatic refresh, click the arrow next to it and then select1 minute,5 minutes, or10 minutes. You can alsoDisableautomatic refresh from this menu.
- To learn more details for the categories across the top of the page, selectAssertions SuccessandAssertions Failed. A screen appears with additional metrics for this recorded category.For example, if you are interested in viewing all successful assertions from a particular OAuth service provider, selectSuccessful Assertions. Then select a service provider under the chart titledTOP 10 SPs WITH SUCCESSFUL ASSERTIONS. Continue drilling down for a more specific report.
- To view details for a specific session, click the ID under theSession IDcolumn.
- To exit the nested view or to move up one level, select the breadcrumbs links at the top of the dashboard you want to navigate to.
- Under theIDP ASSERTIONS OVER TIMEline chart, select any of the metrics in order to remove or add each metric for the IdP assertion chart.
- You can use the bar charts to drill down and generate a customized report. These charts areTOP 10 IDPs WITH SUCCESSFUL ASSERTIONS,TOP 10 CLIENT IPs,TOP 10 SUBJECT VALUES WITH SUCCESSFUL ASSERTIONS, andTOP 10 IDPs WITH FAILED ASSERTIONS.For example, if you wanted to view data for a specific user and for a particular OAuth client IP address, select the user you are interested in from under theTOP 10 USERSdashboard and then select the IP address under theTOP 10 OAUTH CLIENT IPsdashboard.As you drill down, you will be able to view customized combinations of data.
What data can you monitor for the SAML Service Provider Summary dashboard?
The SP Summary screen shows several charts that you can use to track the health of your SAML SP resource. Each chart displays a different category of collected data.
What charts are in this dashboard?
Chart | Functionality |
---|---|
Assertions Success | This chart displays the number of successful SP assertions. |
Assertions Failed | This chart displays the total number of failed SP assertions. |
SP ASSERTIONS OVER TIME | This chart displays a line chart for SP assertions over time. |
TOP 10 IdPs WITH SUCCESSFUL ASSERTIONS | This chart displays the top ten IdPs with successful assertions. |
TOP 10 IDPs WITH FAILED ASSERTIONS | This chart displays the top ten IdPs with failed assertions. |
TOP 10 CLIENT IPs | This chart displays the top ten Client IP addresses that use SP assertions. |
TOP 10 SUBJECT VALUES WITH SUCCESSFUL ASSERTIONS | This chart displays the top subject values with successful assertions. |
About monitoring SAML SP assertions
BIG-IQ Access users can monitor SAML Service Provider assertion data using the SP Assertions dashboard. The SP Assertions screen shows several charts that you can use to track the health of your SAML SP assertions. Data appears when you configure statistics collection. Controls on this screen work together so you can fine-tune the statistics display.
View and configure SP assertion reports
Before BIG-IQ can display Access report data
for a managed BIG-IP device, you must first complete the following tasks:
- Add the managed BIG-IP device to the BIG-IQ Centralized Management inventory
- Discover and import the managed BIG-IP device
- Have a BIG-IQ user enable Access remote logging configuration on the managed BIG-IP device
- Admin
- Access Manager
- Access Deployer
Only a BIG-IP device with SAML provisioned on it can provide data for SAML reports.
The SP Assertions screen shows several charts that you can use to track the health of your SAML SP assertions. Controls on this screen work together so you can fine-tune the statistics display.
- Navigate to.The SP Assertions screen opens, displaying a table with assertion information.
- At the top left of the screen, from theACCESS GROUP/DEVICESlist, either select one of the first two options (All DevicesandAll Managed Devices) or select one or more of the other options (<,Access group name><, orCluster display name><).Device name>
- All Managed DevicesIncludes all Access devices that are currently discovered.
- <Select to include all devices in the Access group.Access group name>
- <Select to include the devices in the cluster.Cluster display name>
- <Select to include the device. You can select any device fromDevice name>Managed Devices,<, orAccess group name><.Cluster display name>
- From theTIMEFRAMEmenu, specify a time frame:
- Select a predefined time period. These range fromLast hourtoLast 3 months.
- Set a custom time period. SelectBetween,After, orBefore, and click the additional fields that display the set dates and times that support your selection.
- To view data for a specific SAML service provider, select one from theSPdropdown list.View the list of SP assertions in the table.
- To save report data in a comma-separated values (CSV) file, click theCSV Reportbutton.The CSV file downloads.
- To refresh the data on this dashboard immediately, clickRefresh. To configure an automatic refresh, click the arrow next to it and then select1 minute,5 minutes, or10 minutes. You can alsoDisableautomatic refresh from this menu.
- To view details for a specific session, click the ID under theSession IDcolumn.
What data can you monitor for the SAML SP Assertions dashboard?
The SP Assertions screen shows several charts that you can use to track the health of your SAML SP assertions. See the notes below to learn more about each field for which you can record data.
What fields are in this dashboard?
Field | Functionality |
---|---|
Session ID | Click the session ID to open the Session Details screen, displaying session details and session variables. From this screen, you can monitor log messages and customize your log message report by severity. Selecting Emergency will show only the most severe warnings, and selecting Debug will display the lowest severity messages. |
Assertion Time | This field displays the time and date when the SP assertion occurred. |
Name | This field displays the SP service. |
User Name | This field displays the username attempting to sign on with Single Sign-ON (SSO). |
HostName | This field displays managed BIG-IP device hostname. |
Platform | This field displays the operating system of the client's machine. |
Cluster | This field displays the cluster attached to the SP service. |
About SAML SP error reports
BIG-IQ Access users can generate SAML SP error reports to view a full length log for all error messages originating from a managed BIG-IP device serving as a SAML SP. To do so, use the SAML SP Error Report screen in BIG-IQ. Data appears when you configure statistics collection. Controls on this screen work together so you can fine-tune the statistics display.
View and configure SP error reports
Before BIG-IQ can display Access report data
for a managed BIG-IP device, you must first complete the following tasks:
- Add the managed BIG-IP device to the BIG-IQ Centralized Management inventory
- Discover and import the managed BIG-IP device
- Have a BIG-IQ user enable Access remote logging configuration on the managed BIG-IP device
- Admin
- Access Manager
- Access Deployer
The SP Errors screen shows several charts that you can use to track the health of your SAML SP errors. Controls on this screen work together so you can fine-tune the statistics display.
- Navigate to.The SP Error Reports screen opens, displaying the error logs.
- At the top left of the screen, from theACCESS GROUP/DEVICESlist, either select one of the first two options (All DevicesandAll Managed Devices) or select one or more of the other options (<,Access group name><, orCluster display name><).Device name>
- All Managed DevicesIncludes all Access devices that are currently discovered.
- <Select to include all devices in the Access group.Access group name>
- <Select to include the devices in the cluster.Cluster display name>
- <Select to include the device. You can select any device fromDevice name>Managed Devices,<, orAccess group name><.Cluster display name>
- From theTIMEFRAMEmenu, specify a time frame:
- Select a predefined time period. These range fromLast hourtoLast 3 months.
- Set a custom time period. SelectBetween,After, orBefore, and click the additional fields that display the set dates and times that support your selection.
- To view data for a specific SAML service provider, select one from theSPdropdown list.View the list of service provider errors in the table on the dashboard.
- To save report data in a comma-separated values (CSV) file, click theCSV Reportbutton.The CSV file downloads.
- To refresh the data on this dashboard immediately, clickRefresh. To configure an automatic refresh, click the arrow next to it and then select1 minute,5 minutes, or10 minutes. You can alsoDisableautomatic refresh from this menu.
- View the list of service provider errors in the table on the dashboard.
- To view details for a specific session, click the ID under theSession IDcolumn.
What data can you monitor for the SAML SP Error Reports?
The SP Errors screen shows several charts that you can use to track the health of your SAML SP errors. See the notes below to learn more about each field for which you can record data.
What fields are in this dashboard?
Field | Functionality |
---|---|
Local Time | This field displays the time and date the error message occurred. |
HostName | This field displays the hostname of the managed BIG-IP device from which this error message originated. |
Session ID | Click the session ID to open the Session Details screen, displaying session details and session variables. From this screen, you can monitor log messages and customize your log message report by severity. Selecting Emergency will show only the most severe warnings, and selecting Debug will display the lowest severity messages. |
Log Level | This field displays the log level of the error message. |
Message | This field displays the error message. |
About summary reports for SAML identity providers
BIG-IQ Access users can configure managed BIG-IP devices with APM provisioned to act as a SAML Identity Provider (IdP) for Software as a Service (SaaS) applications. Configure managed BIG-IP devices as a SAML IdP to enable Single-Sign On to common applications. Once you have configured a BIG-IP device as an IdP, use BIG-IQ to track the health of your SAML IdP resource. Using the IdP Summary dashboard, you can view a variety of metrics to monitor SAML assertions and IdP errors.
Data appears on this dashboard when you configure statistics collection. Controls on this screen work together so you can fine-tune the statistics display.
View and configure Identity Provider summary reports
Before BIG-IQ can display Access report data
for a managed BIG-IP device, you must first complete the following tasks:
- Add the managed BIG-IP device to the BIG-IQ Centralized Management inventory
- Discover and import the managed BIG-IP device
- Have a BIG-IQ user enable Access remote logging configuration on the managed BIG-IP device
- Admin
- Access Manager
- Access Deployer
Use BIG-IQ Centralized Management to generate a SAML Identity Provider report. The IdP Summary report shows several charts that you can use to track the health of your SAML IdP resource.
- Navigate to.The IdP Summary screen opens, displaying a dashboard with summary information.
- At the top left of the screen, from theACCESS GROUP/DEVICESlist, either select one of the first two options (All DevicesandAll Managed Devices) or select one or more of the other options (<,Access group name><, orCluster display name><).Device name>
- All Managed DevicesIncludes all Access devices that are currently discovered.
- <Select to include all devices in the Access group.Access group name>
- <Select to include the devices in the cluster.Cluster display name>
- <Select to include the device. You can select any device fromDevice name>Managed Devices,<, orAccess group name><.Cluster display name>
- From theTIMEFRAMEmenu, specify a time frame:
- Select a predefined time period. These range fromLast hourtoLast 3 months.
- Set a custom time period. SelectBetween,After, orBefore, and click the additional fields that display the set dates and times that support your selection.
- From theIdPdropdown menu, select one SAML identity provider to view a report for that resource.
- To save report data in a comma-separated values (CSV) file, click theCSV Reportbutton.The CSV file downloads.
- To refresh the data on this dashboard immediately, clickRefresh. To configure an automatic refresh, click the arrow next to it and then select1 minute,5 minutes, or10 minutes. You can alsoDisableautomatic refresh from this menu.
- To learn more details for the categories across the top of the page, selectAssertions SuccessandAssertions Failed. A screen appears with additional metrics for this recorded category.For example, if you are interested in viewing all successful assertions from a particular OAuth identity provider, selectSuccessful Assertions. Then select an identity provider under the chart titledTOP 10 IDPs WITH SUCCESSFUL ASSERTIONS. Continue drilling down for a more customized report.
- To view details for a specific session, click the ID under theSession IDcolumn.
- To exit the nested view or to move up one level, select the breadcrumbs links at the top of the dashboard you want to navigate to.
- Under theIDP ASSERTIONS OVER TIMEline chart, select any of the metrics in order to remove or add each metric for the IdP assertion chart.
- You can use the bar charts to drill down and generate a customized report. These charts areTOP 10 SPs WITH SUCCESSFUL ASSERTIONS,TOP 10 USERS,TOP 10 SUBJECT VALUES WITH SUCCESSFUL ASSERTIONS, andTOP 10 SPs WITH FAILED ASSERTIONS.For example, if you wanted to view data for a specific user and for a particular client IP address, select the user you are interested in from under theTOP 10 USERSdashboard and then select the IP address under theTOP 10 CLIENT IP'sdashboard.As you drill down, you will be able to view customized combinations of data.
What data can you monitor for the SAML Identity Provider Summary dashboard?
The IdP Summary screen shows several charts that you can use to track the health of your SAML IdP resource. Each chart displays a different category of collected data.
What charts are in this dashboard?
Chart | Functionality |
---|---|
Assertions Success | This chart displays the total number of successful IdP assertions. |
Assertions Failed | This chart displays the total number of failed IdP assertions. |
IDP ASSERTIONS OVER TIME | This chart displays a line chart for IdP assertions over time. |
TOP 10 SPs WITH SUCCESSFUL ASSERTIONS | This chart displays the top ten SPs with successful assertions. |
TOP 10 USERS | This chart displays the top ten users who have attempted to sign in using a SAML IdP. |
TOP 10 SUBJECT VALUES WITH SUCCESSFUL ASSERTIONS | This chart displays the top subject values with successful assertions. |
TOP 10 IDPs WITH FAILED ASSERTIONS | This chart displays the top ten IdPs with failed assertions. |
About monitoring IdP assertion data
BIG-IQ Access users can monitor SAML Identity Provider assertion data using the IdP Assertions dashboard. The IdP Assertions screen shows several charts that you can use to track the health of your SAML IdP assertions. Data appears when you configure statistics collection. Controls on this screen work together so you can fine-tune the statistics display.
View and configure IdP assertion reports
Before BIG-IQ can display Access report data
for a managed BIG-IP device, you must first complete the following tasks:
- Add the managed BIG-IP device to the BIG-IQ Centralized Management inventory
- Discover and import the managed BIG-IP device
- Have a BIG-IQ user enable Access remote logging configuration on the managed BIG-IP device
- Admin
- Access Manager
- Access Deployer
The IdP Assertions screen shows several charts that you can use to track the health of your SAML IdP assertions. Controls on this screen work together so you can fine-tune the statistics display.
- ClickThe IdP Assertions screen opens, displaying a table with assertion information.
- At the top left of the screen, from theACCESS GROUP/DEVICESlist, either select one of the first two options (All DevicesandAll Managed Devices) or select one or more of the other options (<,Access group name><, orCluster display name><).Device name>
- All Managed DevicesIncludes all Access devices that are currently discovered.
- <Select to include all devices in the Access group.Access group name>
- <Select to include the devices in the cluster.Cluster display name>
- <Select to include the device. You can select any device fromDevice name>Managed Devices,<, orAccess group name><.Cluster display name>
- From theTIMEFRAMEmenu, specify a time frame:
- Select a predefined time period. These range fromLast hourtoLast 3 months.
- Set a custom time period. SelectBetween,After, orBefore, and click the additional fields that display the set dates and times that support your selection.
- From theIdPdropdown menu, select one SAML identity provider to view a report for that resource.
- To save report data in a comma-separated values (CSV) file, click theCSV Reportbutton.The CSV file downloads.
- To refresh the data on this dashboard immediately, clickRefresh. To configure an automatic refresh, click the arrow next to it and then select1 minute,5 minutes, or10 minutes. You can alsoDisableautomatic refresh from this menu.
- View a list of IdP assertions in the dashboard for the selected SAML identity provider.
- To view details for a specific session, click the ID under theSession IDcolumn.
What data can you monitor for the SAML IdP Assertions dashboard?
The IdP Assertions screen shows several charts that you can use to track the health of your SAML IdPs assertions. See the notes below to learn more about each field for which you can record data.
What field can you monitor in this dashboard?
Field | Functionality |
---|---|
Session ID | Click the session ID to open the Session Details screen, displaying session details and session variables. From this screen, you can monitor log messages and customize your log message report by severity. Selecting Emergency will show only the most severe warnings, and selecting Debug will display the lowest severity messages. |
Assertion Time | This field displays the time and date when the SP assertion occurred. |
Name | This field displays the name of the IdP service. |
User Name | This field displays the username of the person using the managed BIG-IP device. |
HostName | This field displays managed BIG-IP device hostname. |
Platform | This field displays the operating system of the client's machine. |
Cluster | This field displays the cluster attached to the IdP service. |
About SAML Identity Provider error reports
BIG-IQ Access users can generate SAML IdP error reports to view a full length log for all error messages originating from a managed BIG-IP device serving as a SAML IdP. To do so, use the SAML IdP Error Report screen in BIG-IQ. Data appears on the dashboard when you configure statistics collection. Controls on this screen work together so you can fine-tune the statistics display.
View and configure IdP error reports
Before BIG-IQ can display Access report data
for a managed BIG-IP device, you must first complete the following tasks:
- Add the managed BIG-IP device to the BIG-IQ Centralized Management inventory
- Discover and import the managed BIG-IP device
- Have a BIG-IQ user enable Access remote logging configuration on the managed BIG-IP device
- Admin
- Access Manager
- Access Deployer
The IdP Errors screen shows several charts that you can use to track the health of your SAML IdP errors. Controls on this screen work together so you can fine-tune the statistics display.
- Select.The IdP Errors screen opens, displaying a table with reported errors.
- At the top left of the screen, from theACCESS GROUP/DEVICESlist, either select one of the first two options (All DevicesandAll Managed Devices) or select one or more of the other options (<,Access group name><, orCluster display name><).Device name>
- All Managed DevicesIncludes all Access devices that are currently discovered.
- <Select to include all devices in the Access group.Access group name>
- <Select to include the devices in the cluster.Cluster display name>
- <Select to include the device. You can select any device fromDevice name>Managed Devices,<, orAccess group name><.Cluster display name>
- From theTIMEFRAMEmenu, specify a time frame:
- Select a predefined time period. These range fromLast hourtoLast 3 months.
- Set a custom time period. SelectBetween,After, orBefore, and click the additional fields that display the set dates and times that support your selection.
- From theIdPdropdown menu, select one SAML identity provider to view a report for that resource.View a list of IdP errors in this dashboard.
- To save report data in a comma-separated values (CSV) file, click theCSV Reportbutton.The CSV file downloads.
- To refresh the data on this dashboard immediately, clickRefresh. To configure an automatic refresh, click the arrow next to it and then select1 minute,5 minutes, or10 minutes. You can alsoDisableautomatic refresh from this menu.
- To view details for a specific session, click the ID under theSession IDcolumn.
What data can you monitor for the SAML IdP Error dashboard?
The IdP Errors screen shows several charts that you can use to track the health of your SAML IdP errors. Each chart displays a different category of collected data.
What is in this dashboard?
Value | Functionality |
---|---|
Local Time | This field displays the time and date the error message occurred. |
HostName | This field displays the hostname of the managed BIG-IP that generated this error message. |
Session ID | Click the session ID to open the Session Details screen, displaying session details and session variables. From this screen, you can monitor log messages and customize your log message report by severity. Selecting Emergency will show only the most severe warnings, and selecting Debug will display the lowest severity messages. |
Log Level | This field displays the log level of the error message. |
Message | This field displays the error message. |