Manual Chapter : Managing Federation reports

Applies To:

Show Versions Show Versions

BIG-IQ Centralized Management

  • 8.3.0, 8.2.0, 8.1.0, 8.0.0, 7.1.0
Manual Chapter

Managing Federation reports

About monitoring OAuth Authorization Server data

BIG-IQ Access users can configure managed BIG-IP devices in an Access Group to act as an OAuth authorization server or a resource server. Once you have configured an OAuth Authorization Server, you can use BIG-IQ to monitor the number of the tokens requested and generated by the OAuth Authorization Server, view the number of client applications used to access external resources, and view the number of errors the OAuth Authorization Server has encountered. You can also organize the Authorization Server Summary report by grant type or view data from a specific time period.
Use the Authorization Server Summary dashboard to troubleshoot issues with the BIG-IP device you have configured as an OAuth Authorization Server.

View and configure OAuth authorization server reports

Before BIG-IQ can display Access report data for a managed BIG-IP device, you must first complete the following tasks:
  • Add the managed BIG-IP device to the BIG-IQ Centralized Management inventory
  • Discover and import the managed BIG-IP device
  • Have a BIG-IQ user enable Access remote logging configuration on the managed BIG-IP device
To discover and import a configuration and deploy configurations to a managed BIG-IP device, users must belong to one of the following RBAC roles:
  • Admin
  • Access Manager
  • Access Deployer
Only BIG-IQ users managing BIG-IP devices with OAuth provisioned can provide data for OAuth reports.
You can use BIG-IQ Centralized Management to generate a summary report for your OAuth authorization server. Controls on this screen work together so you can fine-tune the statistics display. You may also use this workflow to revoke an OAuth token.
  1. Navigate to
    Monitoring
    DASHBOARDS
    Access
    Federation
    OAuth
    Authorization Server
    Authorization Server Summary
    .
  2. At the top left of the screen, from the
    ACCESS GROUP/DEVICES
    list, either select one of the first two options (
    All Devices
    and
    All Managed Devices
    ) or select one or more of the other options (
    <
    Access group name
    >
    ,
    <
    Cluster display name
    >
    , or
    <
    Device name
    >
    ).
    • All Managed Devices
      Includes all Access devices that are currently discovered.
    • <
      Access group name
      >
      Select to include all devices in the Access group.
    • <
      Cluster display name
      >
      Select to include the devices in the cluster.
    • <
      Device name
      >
      Select to include the device. You can select any device from
      Managed Devices
      ,
      <
      Access group name
      >
      , or
      <
      Cluster display name
      >
      .
  3. From the
    TIMEFRAME
    menu, specify a time frame:
    • Select a predefined time period. These range from
      Last hour
      to
      Last 3 months
      .
    • Set a custom time period. Select
      Between
      ,
      After
      , or
      Before
      , and click the additional fields that display the set dates and times that support your selection.
  4. To change the OAuth authorization server you view in this report, make a selection from the
    AUTHORIZATION SERVER
    list.
  5. To change the OAuth grant type displayed on this screen, make a selection from the
    GRANT TYPE
    dropdown list. You can choose to generate a report for Resource Owner Password Credentials (ROPC) grant types, implicit grant types, or authorization code grant types.
  6. To save report data in a comma-separated values (CSV) file, click the
    CSV Report
    button.
    The CSV file downloads.
  7. To refresh the data on this dashboard immediately, click
    Refresh
    . To configure an automatic refresh, click the arrow next to it and then select
    1 minute
    ,
    5 minutes
    , or
    10 minutes
    . You can also
    Disable
    automatic refresh from this menu.
  8. To learn more details for the categories across the top of the page, select
    Total Access Tokens
    ,
    Token Errors
    ,
    Unique Users
    ,
    Unique Client Apps
    , or
    Introspection Errors
    . BIG-IQ displays a screen with additional metrics for this recorded category.
    For example, to view all token errors tha result from the authorization code request type, select
    Token Errors
    , then view the data you are interested in under the chart titled
    TOP ERRORS BY REQUEST TYPE
    .
  9. To exit the nested view or to move up one level, select the breadcrumbs links at the top of the dashboard you want to navigate to.
  10. To add or remove metrics for token generation, on the
    TOKEN GENERATION REQUESTS OVER TIME
    chart, click on the name of the metric that you want to remove..
  11. You can use the bar charts to drill down and generate a customized report. These charts are
    TOP 10 USERS
    ,
    TOP 10 CLIENT APPS
    ,
    TOP 10 RESOURCE SERVERS
    ,
    TOP 10 OAUTH CLIENT IP'S
    ,
    GEOLOCATION DISTRIBUTION
    , and
    USER PLATFORM DISTRIBUTION
    .
    For example, to view data for a specific user
    and
    for a particular OAuth client IP address, select the user you are interested in under the
    TOP 10 USERS
    dashboard, and then select the IP address under the
    TOP 10 OAUTH CLIENT IP's
    dashboard.
    As you drill down, you will be able to view customized combinations of data.
  12. To revoke an OAuth token, drill down one level into any of the fields on the dashboard. At the bottom of the screen, select the checkbox next to the OAuth tokens you wish to revoke.
  13. Select
    Revoke Selected Tokens
    , and then select
    OK
    .
  14. To exit the nested view or to move up one level, select the breadcrumbs links at the top of the dashboard you want to navigate to.

What data can you monitor from the Authorization Server Summary dashboard?

Use the Authorization Server Summary dashboard to track the overall health of your OAuth server. See the notes below to learn more about each category for which you can record data.

What is on this dashboard?

Value
Functionality
Total Access Tokens
This chart displays the total number of access tokens by the OAuth server.
Token Errors
This chart displays the total number token errors from the OAuth server.
Unique Users
This chart displays the total number of unique users in the OAuth configuration.
Unique Client Apps
This chart displays the total number of unique client applications accessed by users.
Introspection Errors
This chart displays the total number of introspection errors in the OAuth configuration.
TOKEN GENERATION REQUESTS OVER TIME
This line chart displays requests for token generation over time.
TOP 10 OAUTH CLIENT IPs
This chart displays the top ten Internet service providers that use the OAuth client configuration.
TOP 10 USERS
This chart displays the top ten users who use the OAuth authorization server.
TOP 10 CLIENT APPS
This chart displays the top ten client applications that use the OAuth authorization server.
USER PLATFORM DISTRIBUTION
This chart displays the platform (such as operating system or mobile device) that distributes the OAuth service.
GEOLOCATION DISTRIBUTION
This chart displays the country from which users are accessing the OAuth resource.

About monitoring OAuth server performance

BIG-IQ Access users can view the Authorization Server Performance screen to track the health of an OAuth authorization server. If you previously configured a managed BIG-IP device running APM as an OAuth Authorization Server, you will be able to track the health of the server from this dashboard. You can also troubleshoot issues with token generation requests, and view data for token generation organized by grant type. Controls on this screen work together so you can fine-tune the statistics display.

View and configure the OAuth server performance dashboard

Before BIG-IQ can display Access report data for a managed BIG-IP device, you must first complete the following tasks:
  • Add the managed BIG-IP device to the BIG-IQ Centralized Management inventory
  • Discover and import the managed BIG-IP device
  • Have a BIG-IQ user enable Access remote logging configuration on the managed BIG-IP device
To discover and import a configuration and deploy configurations to a managed BIG-IP device, users must belong to one of the following RBAC roles:
  • Admin
  • Access Manager
  • Access Deployer
Only BIG-IQ users managing BIG-IP devices with OAuth provisioned can provide data for OAuth reports.
The Authentication Server Summary screen shows several charts that you can use to track the health of your authorization server role. Controls on this screen work together so you can fine-tune the statistics display.
  1. Click
    Monitoring
    DASHBOARDS
    Access
    Federation
    OAuth
    Authorization Server
    Server Performance
    .
    BIG-IQ opens the Authorization Server Performance screen.
  2. At the top left of the screen, from the
    ACCESS GROUP/DEVICES
    list, either select one of the first two options (
    All Devices
    and
    All Managed Devices
    ) or select one or more of the other options (
    <
    Access group name
    >
    ,
    <
    Cluster display name
    >
    , or
    <
    Device name
    >
    ).
    • All Managed Devices
      Includes all Access devices that are currently discovered.
    • <
      Access group name
      >
      Select to include all devices in the Access group.
    • <
      Cluster display name
      >
      Select to include the devices in the cluster.
    • <
      Device name
      >
      Select to include the device. You can select any device from
      Managed Devices
      ,
      <
      Access group name
      >
      , or
      <
      Cluster display name
      >
      .
  3. From the
    TIMEFRAME
    menu, specify a time frame:
    • Select a predefined time period. These range from
      Last hour
      to
      Last 3 months
      .
    • Set a custom time period. Select
      Between
      ,
      After
      , or
      Before
      , and click the additional fields that display the set dates and times that support your selection.
  4. From the
    AUTHORIZATION SERVER
    list, select an OAuth authorization server.
  5. To save report data in a comma-separated values (CSV) file, click the
    CSV Report
    button.
    The CSV file downloads.
  6. To refresh the data on this dashboard immediately, click
    Refresh
    . To configure an automatic refresh, click the arrow next to it and then select
    1 minute
    ,
    5 minutes
    , or
    10 minutes
    . You can also
    Disable
    automatic refresh from this menu.
  7. To view data for a different OAuth resource, make a selection from the
    Resource
    dropdown.
  8. For the line charts on this dashboard, select any of the metrics in order to remove or add each metric to the chart and view a customized data set.

What data can you monitor from the Authorization Server Performance dashboard?

The Authorization Server Performance screen shows several charts that you can use to track the health of your OAuth authorization server. See the notes below to learn more about each category for which you can record data.

What charts are on this dashboard?

Chart
Functionality
OVERVIEW
This chart summarizes performance statistics for requests that this OAuth authorization server processed.
AUTH CODE GRANT
This chart displays statistics for the authorization code grants that this OAuth server processed.
IMPLICIT GRANT
This chart displays statistics for the implicit grants that this OAuth server processed.
ROPC GRANT
This chart displays statistics for the resource owner password credentials (ROPC) grants that this OAuth server processed.
TOKEN INTROSPECTION
This chart displays statistics for the token introspection requests that this OAuth server processed.

What metrics are reported in the charts in the dashboard?

Value
Definition
Requests
Displays the rate at which the total OAuth requests were received.
Auth Codes Issued
Displays the rate at which the total authentication codes were received.
Tokens Issued
Displays the rate at which the OAuth server issued tokens.
Refresh Tokens Issued
Displays the rate at which the OAuth server issued refresh tokens for the authorization code and ROPC grant types.
Tokens Introspected
Displays the rate at which the OAuth server processed successful token introspection requests.
Implicit
Displays the rate at which the OAuth server processes implicit grants.
ROPC
Displays the rate at which the OAuth server processes ROPC grants.
Failed Requests
Displays the rate at which the OAuth server processed unsuccessful requests.

About monitoring OAuth authorization server tokens

If you have configured a managed BIG-IP device to function as an OAuth Authorization server, you can use BIG-IQ to track the health of your OAuth tokens and view key token metrics. To do so, view the Token Summary screen. Data appears when you configure statistics collection. Controls on this screen work together so you can fine-tune the statistics display.

View and configure the OAuth token summary dashboard

Before BIG-IQ can display Access report data for a managed BIG-IP device, you must first complete the following tasks:
  • Add the managed BIG-IP device to the BIG-IQ Centralized Management inventory
  • Discover and import the managed BIG-IP device
  • Have a BIG-IQ user enable Access remote logging configuration on the managed BIG-IP device
To discover and import a configuration and deploy configurations to a managed BIG-IP device, users must belong to one of the following RBAC roles:
  • Admin
  • Access Manager
  • Access Deployer
Only BIG-IQ users managing BIG-IP devices with OAuth provisioned can provide data for OAuth reports.
The Token Summary screen shows several charts that you can use to track the health of your OAuth tokens. Data appears when you configure statistics collection. Controls on this screen work together so you can fine-tune the statistics display.
  1. Click
    Monitoring
    DASHBOARDS
    Access
    Federation
    OAuth
    Authorization Server
    Tokens
    .
    BIG-IQ opens the Token Summary screen.
  2. At the top left of the screen, from the
    ACCESS GROUP/DEVICES
    list, either select one of the first two options (
    All Devices
    and
    All Managed Devices
    ) or select one or more of the other options (
    <
    Access group name
    >
    ,
    <
    Cluster display name
    >
    , or
    <
    Device name
    >
    ).
    • All Managed Devices
      Includes all Access devices that are currently discovered.
    • <
      Access group name
      >
      Select to include all devices in the Access group.
    • <
      Cluster display name
      >
      Select to include the devices in the cluster.
    • <
      Device name
      >
      Select to include the device. You can select any device from
      Managed Devices
      ,
      <
      Access group name
      >
      , or
      <
      Cluster display name
      >
      .
  3. From the
    TIMEFRAME
    menu, specify a time frame:
    • Select a predefined time period. These range from
      Last hour
      to
      Last 3 months
      .
    • Set a custom time period. Select
      Between
      ,
      After
      , or
      Before
      , and click the additional fields that display the set dates and times that support your selection.
  4. From the
    AUTHORIZATION SERVER
    list, select an OAuth authorization server.
  5. From the
    GRANT TYPE
    list, select an OAuth grant type.
  6. To save report data in a comma-separated values (CSV) file, click the
    CSV Report
    button.
    The CSV file downloads.
  7. To refresh the data on this dashboard immediately, click
    Refresh
    . To configure an automatic refresh, click the arrow next to it and then select
    1 minute
    ,
    5 minutes
    , or
    10 minutes
    . You can also
    Disable
    automatic refresh from this menu.
  8. To learn more details for the categories across the top of the page, select
    Total Access Tokens
    ,
    Total Refresh Errors
    ,
    Revoked Tokens
    ,
    Expired Access Tokens
    , or
    Expired Refresh Tokens
    . BIG-IQ displays a screen with additional metrics for the selected category.
    For example, if you are interested in viewing all expired access tokens resulting clients using Windows, select
    Expired Access Tokens
    then view the data for Windows under the chart titled
    PLATFORM DISTRIBUTION
    .
  9. To exit the nested view or to move up one level, select the breadcrumbs links at the top of the dashboard you want to navigate to.
  10. To filter the list of tokens, select an option from the
    TOKEN FILTER
    dropdown menu. Select one of the following: Access Tokens Issued, Access Tokens Expired, Refresh Tokens Issued, or Refresh Tokens Expired.
  11. To revoke an OAuth token, use the list of OAuth tokens on the main
    Token Summary
    dashboard or drill down one level into any of the fields on the dashboard. At the bottom of the screen, select the checkbox next to the OAuth tokens you wish to revoke.
  12. Select
    Revoke Selected Tokens
    , and then select
    OK
    .

What data can you monitor from the OAuth tokens dashboard?

The Token Summary screen shows several charts that you can use to track the health of your OAuth authorization server tokens. See the notes below to learn more about each category for which you can record data.

What is on this dashboard?

Value
Functionality
Total Access Tokens
This chart displays the total number of access tokens in the OAuth configuration.
Total Refresh Tokens
This chart displays the total number of refresh tokens in the OAuth configuration.
Revoked Tokens
This chart displays the total number of tokens that were revoked by the OAuth provider.
Expired Access Tokens
This chart displays the total number of access tokens that expired.
Expired Refresh Tokens
This chart displays the total number of refresh tokens that expired.
User
This field displays the name of the user using the OAuth resource.
Client App
This field displays the name of the client application.
Access Token Issued
This field displays the date and time that this OAuth authorization server issued the token.
Access Token Expires
This field displays the date and time that a revoked token expired or that an active token is set to expire.
Access Token Count
This field displays the number of access tokens.
Access Token Status
This field displays one of these statuses:
  • ACTIVE
    : The status is active when the token is granted and remains active until an event occurs that changes the status.
  • EXPIRED
    : The status changes to expired only after a validate request has been attempted on an access token that has passed its expiration date.
  • REVOKED
    : The status changes to revoked when an administrator revokes the token.
Refresh Token Issued
This field displays the date and time that this OAuth authorization server issued the token.
Refresh Token Expires
This field displays the date and time that a revoked token expired or that an active token is set to expire.
Refresh Token Count
This field displays the number of refresh tokens.
Refresh Token Status
This field displays the OAuth token status, Active or Revoked.
HostName
This field displays the BIG-IP device hostname.
Cluster
This field displays the name of the device cluster.
User Agent
This field displays the name of the user agent.
Grant Type
This field displays the grant type as either
authcode
,
implicit
, or
ROPC
.

About monitoring OAuth client data

BIG-IQ Access users can configure a managed BIG-IP device to function as an OAuth client and resource server. With this configuration, customers can log on to using external OAuth accounts to gain access to the resources protected by the BIG-IP device provisioned with APM.
Once you have configured a BIG-IP device to act as an OAuth client, you can use BIG-IQ to monitor the health of the OAuth client. The Client Summary screen shows several charts that you can use to track the status of your OAuth client. Data appears when you configure statistics collection. Controls on this screen work together so you can fine-tune the statistics display.
From the Client Errors screen, you can view a full log of errors in the OAuth client configuration in order to troubleshoot issues with your OAuth client.

View and configure the OAuth client summary dashboard

Before BIG-IQ can display Access report data for a managed BIG-IP device, you must first complete the following tasks:
  • Add the managed BIG-IP device to the BIG-IQ Centralized Management inventory
  • Discover and import the managed BIG-IP device
  • Have a BIG-IQ user enable Access remote logging configuration on the managed BIG-IP device
To discover and import a configuration and deploy configurations to a managed BIG-IP device, users must belong to one of the following RBAC roles:
  • Admin
  • Access Manager
  • Access Deployer
Only BIG-IQ users managing BIG-IP devices with OAuth provisioned can provide data for OAuth reports.
You can use BIG-IQ to generate OAuth Client summary data. The Client Summary report shows several charts that you can use to track the health of your OAuth client. Controls on this screen work together so you can fine-tune the statistics display.
  1. Navigate to
    Monitoring
    DASHBOARDS
    Access
    Federation
    OAuth
    Client
    Client Summary
    .
  2. At the top left of the screen, from the
    ACCESS GROUP/DEVICES
    list, either select one of the first two options (
    All Devices
    and
    All Managed Devices
    ) or select one or more of the other options (
    <
    Access group name
    >
    ,
    <
    Cluster display name
    >
    , or
    <
    Device name
    >
    ).
    • All Managed Devices
      Includes all Access devices that are currently discovered.
    • <
      Access group name
      >
      Select to include all devices in the Access group.
    • <
      Cluster display name
      >
      Select to include the devices in the cluster.
    • <
      Device name
      >
      Select to include the device. You can select any device from
      Managed Devices
      ,
      <
      Access group name
      >
      , or
      <
      Cluster display name
      >
      .
  3. From the
    TIMEFRAME
    menu, specify a time frame:
    • Select a predefined time period. These range from
      Last hour
      to
      Last 3 months
      .
    • Set a custom time period. Select
      Between
      ,
      After
      , or
      Before
      , and click the additional fields that display the set dates and times that support your selection.
  4. To view data for a different OAuth client, make a selection from the
    CLIENT
    dropdown list.
  5. To view data for a different grant type, make a selection from the
    GRANT TYPE
    dropdown list.
  6. To save report data in a comma-separated values (CSV) file, click the
    CSV Report
    button.
    The CSV file downloads.
  7. To refresh the data on this dashboard immediately, click
    Refresh
    . To configure an automatic refresh, click the arrow next to it and then select
    1 minute
    ,
    5 minutes
    , or
    10 minutes
    . You can also
    Disable
    automatic refresh from this menu.
  8. To learn more details for the categories across the top of the page, select
    Token Requests
    ,
    Token Errors
    ,
    Unique Users
    , or
    Connectivity Errors
    . BIG-IQ displays a screen with additional metrics for the select this recorded category.
    For example, to if you are interested in viewing all token requests initiated by a particular user, select
    Token Requests
    , and then view the data for the user you are interested in under the chart titled
    TOP 10 USERS
    . You can continue drilling down to further customize what displays on this screen.
  9. To view details for a specific session, click the ID under the
    Session ID
    column.
  10. To exit the nested view or to move up one level, select the breadcrumbs links at the top of the dashboard you want to navigate to.
  11. Under the
    OAUTH CLIENT PERFORMANCE OVER TIME
    line chart, select any of the metrics in order to remove or add each metric for token generation.
  12. You can use the bar charts to drill down and generate a customized report. These dashboards are
    TOP 10 USERS
    ,
    TOP 10 CLIENT IPs
    ,
    TOP CLIENT PLATFORMS
    , and
    GEOLOCATION DISTRIBUTION
    .
    For example, if you wanted to view data for a specific user with requests originating from California, select the user you are interested in from under the
    TOP 10 USERS
    dashboard and then select California under the
    GEOLOCATION DISTRIBUTION
    dashboard.
    You can continue drilling down further to view customized combinations of data.
  13. In the second level of the dashboards, you can view a list of sessions associated with OAuth client usage.
  14. To view details for a specific session, click the ID under the
    Session ID
    column.

What data can you monitor for the OAuth Client Summary dashboard?

The Client Summary screen shows several charts that you can use to track the health of your OAuth client. Each chart displays a different category of collected data.

What charts are on this dashboard?

Chart
Functionality
Total Requests
This chart displays the total number of client requests in the OAuth configuration.
Token Errors
This chart displays the total number of token errors received by the OAuth client.
Unique Users
This chart displays the total number of unique users in the OAuth configuration.
Connectivity Errors
This chart displays the total number of connectivity errors in the OAuth configuration.
OAUTH CLIENT PERFORMANCE OVER TIME
This chart displays a line chart for OAuth client performances over time.
TOP 10 USERS
This chart displays the top ten users who have used the OAuth client over the specified time period.
TOP 10 CLIENT IPs
This chart displays the top ten Internet Service Providers that use the OAuth client configuration.
PLATFORM DISTRIBUTION
This chart displays the platform, such as operating system or mobile device, that distributes the OAuth service.
GEOLOCATION DISTRIBUTION
This map displays the country in which the OAuth service is located.

View and configure OAuth client error reports

Before BIG-IQ can display Access report data for a managed BIG-IP device, you must first complete the following tasks:
  • Add the managed BIG-IP device to the BIG-IQ Centralized Management inventory
  • Discover and import the managed BIG-IP device
  • Have a BIG-IQ user enable Access remote logging configuration on the managed BIG-IP device
To discover and import a configuration and deploy configurations to a managed BIG-IP device, users must belong to one of the following RBAC roles:
  • Admin
  • Access Manager
  • Access Deployer
Only BIG-IQ users managing BIG-IP devices with OAuth provisioned can provide data for OAuth reports.
Use BIG-IQ Centralized Management to monitor OAuth client error logs. The Client Errors report shows a log of errors in the OAuth client configuration.
  1. Navigate to
    Monitoring
    DASHBOARDS
    Access
    Federation
    OAuth
    Client
    Client Error Logs
    .
  2. At the top left of the screen, from the
    ACCESS GROUP/DEVICES
    list, either select one of the first two options (
    All Devices
    and
    All Managed Devices
    ) or select one or more of the other options (
    <
    Access group name
    >
    ,
    <
    Cluster display name
    >
    , or
    <
    Device name
    >
    ).
    • All Managed Devices
      Includes all Access devices that are currently discovered.
    • <
      Access group name
      >
      Select to include all devices in the Access group.
    • <
      Cluster display name
      >
      Select to include the devices in the cluster.
    • <
      Device name
      >
      Select to include the device. You can select any device from
      Managed Devices
      ,
      <
      Access group name
      >
      , or
      <
      Cluster display name
      >
      .
  3. From the
    TIMEFRAME
    menu, specify a time frame:
    • Select a predefined time period. These range from
      Last hour
      to
      Last 3 months
      .
    • Set a custom time period. Select
      Between
      ,
      After
      , or
      Before
      , and click the additional fields that display the set dates and times that support your selection.
  4. To save report data in a comma-separated values (CSV) file, click the
    CSV Report
    button.
    The CSV file downloads.
  5. To refresh the data on this dashboard immediately, click
    Refresh
    . To configure an automatic refresh, click the arrow next to it and then select
    1 minute
    ,
    5 minutes
    , or
    10 minutes
    . You can also
    Disable
    automatic refresh from this menu.
  6. View the list of error messages in the report. To view specific session details for one of the errors, click the ID under the
    Session ID
    column.

What data can you monitor in the OAuth Client Error Logs?

The Client Errors screen shows a list of errors in the OAuth client configuration. See the notes below to learn more about each field for which you can record data.

What fields are on this screen?

Field
Functionality
Local Time
This field displays the time and date the error message occurred.
HostName
This field displays the hostname of the managed BIG-IP device that sent this error message.
Session ID
Click the session ID to open the Session Details screen, displaying session details and session variables. From this screen, you can monitor log messages and customize your log message report by severity. Selecting
Emergency
will show only the most severe warnings, and selecting
Debug
will display the lowest severity messages.
Log Level
This field displays the log level of the error message.
Message
This field displays the error message.

About monitoring OAuth client resource data

BIG-IQ Access users can configure a managed BIG-IP device to act as an OAuth client and resource server. Once you have done so, you can view the OAuth Resource Summary screen to track the health of your OAuth resource. Data appears when you configure statistics collection. Controls on this screen work together so you can fine-tune the statistics display.

View and configure the OAuth resource summary dashboard

Before BIG-IQ can display Access report data for a managed BIG-IP device, you must first complete the following tasks:
  • Add the managed BIG-IP device to the BIG-IQ Centralized Management inventory
  • Discover and import the managed BIG-IP device
  • Have a BIG-IQ user enable Access remote logging configuration on the managed BIG-IP device
To discover and import a configuration and deploy configurations to a managed BIG-IP device, users must belong to one of the following RBAC roles:
  • Admin
  • Access Manager
  • Access Deployer
Only BIG-IQ users managing BIG-IP devices with OAuth provisioned can provide data for OAuth reports.
Use BIG-IQ Centralized Management to generate a summary report for your OAuth resource. The Resource Summary dashboard shows several charts that you can use to track the health of your OAuth resource. Controls on this screen work together so you can fine-tune the statistics display.
  1. Navigate to
    Monitoring
    DASHBOARDS
    Access
    Federation
    OAuth
    Resource
    .
  2. At the top left of the screen, from the
    ACCESS GROUP/DEVICES
    list, either select one of the first two options (
    All Devices
    and
    All Managed Devices
    ) or select one or more of the other options (
    <
    Access group name
    >
    ,
    <
    Cluster display name
    >
    , or
    <
    Device name
    >
    ).
    • All Managed Devices
      Includes all Access devices that are currently discovered.
    • <
      Access group name
      >
      Select to include all devices in the Access group.
    • <
      Cluster display name
      >
      Select to include the devices in the cluster.
    • <
      Device name
      >
      Select to include the device. You can select any device from
      Managed Devices
      ,
      <
      Access group name
      >
      , or
      <
      Cluster display name
      >
      .
  3. From the
    TIMEFRAME
    menu, specify a time frame:
    • Select a predefined time period. These range from
      Last hour
      to
      Last 3 months
      .
    • Set a custom time period. Select
      Between
      ,
      After
      , or
      Before
      , and click the additional fields that display the set dates and times that support your selection.
  4. To view data for a different OAuth resource, make a selection from the
    Resource
    dropdown.
  5. To save report data in a comma-separated values (CSV) file, click the
    CSV Report
    button.
    The CSV file downloads.
  6. To refresh the data on this dashboard immediately, click
    Refresh
    . To configure an automatic refresh, click the arrow next to it and then select
    1 minute
    ,
    5 minutes
    , or
    10 minutes
    . You can also
    Disable
    automatic refresh from this menu.
  7. To learn more details for the categories across the top of the page, select
    Token Validation Successes
    ,
    Token Validation Errors
    ,
    Unique Client IPs
    , or
    Connectivity Errors
    . BIG-IQ displays a screen with additional metrics for the selected category.
    For example, to see resource usage originating from a specific client IP address, select
    Unique Client IPs
    , then view the data for the IP address you are interested in under the chart titled
    TOP 10 CLIENT IPs
    . You can continue drilling down to view even more customized reports.
  8. To view details for a specific session, click the ID under the
    Session ID
    column.
  9. To exit the nested view or to move up one level, select the breadcrumbs links at the top of the dashboard you want to navigate to.
  10. Under the
    RESOURCE SERVER PERFORMANCE OVER TIME
    line chart, select any of the metrics in order to remove or add each metric to the chart for resource server performance.
  11. You can use the bar charts to drill down and generate a customized dashboard. These charts are
    TOP 10 CLIENT IPs
    ,
    TOP CLIENT PLATFORMS
    , and
    GEOLOCATION DISTRIBUTION
    .
    For example, to view data for a specific client IP address with requests originating from Seattle:
    1. On the
      TOP 10 CLIENT IPs
      chart, select the IP address you are interested in.
    2. On the map in the
      GEOLOCATION DISTRIBUTION
      chart, select
      Seattle
      .
    Once you drill down, you will be able to view customized combinations of data for the selected Seattle IP address.

What data can you monitor for the OAuth Resource Summary dashboard?

The Resource Summary screen shows several charts that you can use to track the health of your OAuth resource. Each chart displays a different category of collected data.

What charts are on this dashboard?

Chart
Functionality
Token Validation Successes
This chart displays the total number of successful token validation by the OAuth resource server.
Token Validation Errors
This chart displays the total number validation errors from the OAuth resource server.
Unique Client IPs
This chart displays the total number of unique client IPs in the OAuth configuration.
Connectivity Errors
This chart displays the total number of connectivity errors on the OAuth resource server.
RESOURCE SERVER PERFORMANCE OVER TIME
This chart displays a line chart for resource server performances over time.
TOP 10 CLIENT IPs
This chart displays the top ten client IP addresses that use the OAuth client configuration.
PLATFORM DISTRIBUTION
This chart displays the operating system for the user's machine that distributes the OAuth service.
GEOLOCATION DISTRIBUTION
This chart displays the country in which the user is located.

About summary reports for monitoring SAML Service Providers

BIG-IQ Access users can configure a managed BIG-IP device with APM provisioned to act as a SAML service provider (SP). Once you have done so, use the SAML SP Summary dashboard to track the health of your SAML SP resource. Data appears when you configure statistics collection. Controls on this screen work together so you can fine-tune the statistics display.

View and configure the Service Provider (SP) summary report

Before BIG-IQ can display Access report data for a managed BIG-IP device, you must first complete the following tasks:
  • Add the managed BIG-IP device to the BIG-IQ Centralized Management inventory
  • Discover and import the managed BIG-IP device
  • Have a BIG-IQ user enable Access remote logging configuration on the managed BIG-IP device
To discover and import a configuration and deploy configurations to a managed BIG-IP device, users must belong to one of the following RBAC roles:
  • Admin
  • Access Manager
  • Access Deployer
Only a managed BIG-IP device with SAML provisioned can provide data for SAML reports.
Use BIG-IQ Centralized Management to generate a summary report for SAML Service Provider (SP) resources. The SP Summary report shows several charts that you can use to track the health of your SAML SP resource. Controls on this screen work together so you can fine-tune the statistics display.
  1. Navigate to
    Monitoring
    DASHBOARDS
    Access
    Federation
    SAML
    SP
    SP Summary
    .
  2. At the top left of the screen, from the
    ACCESS GROUP/DEVICES
    list, either select one of the first two options (
    All Devices
    and
    All Managed Devices
    ) or select one or more of the other options (
    <
    Access group name
    >
    ,
    <
    Cluster display name
    >
    , or
    <
    Device name
    >
    ).
    • All Managed Devices
      Includes all Access devices that are currently discovered.
    • <
      Access group name
      >
      Select to include all devices in the Access group.
    • <
      Cluster display name
      >
      Select to include the devices in the cluster.
    • <
      Device name
      >
      Select to include the device. You can select any device from
      Managed Devices
      ,
      <
      Access group name
      >
      , or
      <
      Cluster display name
      >
      .
  3. From the
    TIMEFRAME
    menu, specify a time frame:
    • Select a predefined time period. These range from
      Last hour
      to
      Last 3 months
      .
    • Set a custom time period. Select
      Between
      ,
      After
      , or
      Before
      , and click the additional fields that display the set dates and times that support your selection.
  4. To view data for a different SAML service provider, make a selection from the
    SP
    dropdown list.
  5. To save report data in a comma-separated values (CSV) file, click the
    CSV Report
    button.
    The CSV file downloads.
  6. To refresh the data on this dashboard immediately, click
    Refresh
    . To configure an automatic refresh, click the arrow next to it and then select
    1 minute
    ,
    5 minutes
    , or
    10 minutes
    . You can also
    Disable
    automatic refresh from this menu.
  7. To learn more details for the categories across the top of the page, select
    Assertions Success
    and
    Assertions Failed
    . A screen appears with additional metrics for this recorded category.
    For example, if you are interested in viewing all successful assertions from a particular OAuth service provider, select
    Successful Assertions
    . Then select a service provider under the chart titled
    TOP 10 SPs WITH SUCCESSFUL ASSERTIONS
    . Continue drilling down for a more specific report.
  8. To view details for a specific session, click the ID under the
    Session ID
    column.
  9. To exit the nested view or to move up one level, select the breadcrumbs links at the top of the dashboard you want to navigate to.
  10. Under the
    IDP ASSERTIONS OVER TIME
    line chart, select any of the metrics in order to remove or add each metric for the IdP assertion chart.
  11. You can use the bar charts to drill down and generate a customized report. These charts are
    TOP 10 IDPs WITH SUCCESSFUL ASSERTIONS
    ,
    TOP 10 CLIENT IPs
    ,
    TOP 10 SUBJECT VALUES WITH SUCCESSFUL ASSERTIONS
    , and
    TOP 10 IDPs WITH FAILED ASSERTIONS
    .
    For example, if you wanted to view data for a specific user and for a particular OAuth client IP address, select the user you are interested in from under the
    TOP 10 USERS
    dashboard and then select the IP address under the
    TOP 10 OAUTH CLIENT IPs
    dashboard.
    As you drill down, you will be able to view customized combinations of data.

What data can you monitor for the SAML Service Provider Summary dashboard?

The SP Summary screen shows several charts that you can use to track the health of your SAML SP resource. Each chart displays a different category of collected data.

What charts are in this dashboard?

Chart
Functionality
Assertions Success
This chart displays the number of successful SP assertions.
Assertions Failed
This chart displays the total number of failed SP assertions.
SP ASSERTIONS OVER TIME
This chart displays a line chart for SP assertions over time.
TOP 10 IdPs WITH SUCCESSFUL ASSERTIONS
This chart displays the top ten IdPs with successful assertions.
TOP 10 IDPs WITH FAILED ASSERTIONS
This chart displays the top ten IdPs with failed assertions.
TOP 10 CLIENT IPs
This chart displays the top ten Client IP addresses that use SP assertions.
TOP 10 SUBJECT VALUES WITH SUCCESSFUL ASSERTIONS
This chart displays the top subject values with successful assertions.

About monitoring SAML SP assertions

BIG-IQ Access users can monitor SAML Service Provider assertion data using the SP Assertions dashboard. The SP Assertions screen shows several charts that you can use to track the health of your SAML SP assertions. Data appears when you configure statistics collection. Controls on this screen work together so you can fine-tune the statistics display.

View and configure SP assertion reports

Before BIG-IQ can display Access report data for a managed BIG-IP device, you must first complete the following tasks:
  • Add the managed BIG-IP device to the BIG-IQ Centralized Management inventory
  • Discover and import the managed BIG-IP device
  • Have a BIG-IQ user enable Access remote logging configuration on the managed BIG-IP device
To discover and import a configuration and deploy configurations to a managed BIG-IP device, users must belong to one of the following RBAC roles:
  • Admin
  • Access Manager
  • Access Deployer
Only a BIG-IP device with SAML provisioned on it can provide data for SAML reports.
The SP Assertions screen shows several charts that you can use to track the health of your SAML SP assertions. Controls on this screen work together so you can fine-tune the statistics display.
  1. Navigate to
    Monitoring
    DASHBOARDS
    Access
    Federation
    SAML
    SP
    SP Assertions Reports
    .
    The SP Assertions screen opens, displaying a table with assertion information.
  2. At the top left of the screen, from the
    ACCESS GROUP/DEVICES
    list, either select one of the first two options (
    All Devices
    and
    All Managed Devices
    ) or select one or more of the other options (
    <
    Access group name
    >
    ,
    <
    Cluster display name
    >
    , or
    <
    Device name
    >
    ).
    • All Managed Devices
      Includes all Access devices that are currently discovered.
    • <
      Access group name
      >
      Select to include all devices in the Access group.
    • <
      Cluster display name
      >
      Select to include the devices in the cluster.
    • <
      Device name
      >
      Select to include the device. You can select any device from
      Managed Devices
      ,
      <
      Access group name
      >
      , or
      <
      Cluster display name
      >
      .
  3. From the
    TIMEFRAME
    menu, specify a time frame:
    • Select a predefined time period. These range from
      Last hour
      to
      Last 3 months
      .
    • Set a custom time period. Select
      Between
      ,
      After
      , or
      Before
      , and click the additional fields that display the set dates and times that support your selection.
  4. To view data for a specific SAML service provider, select one from the
    SP
    dropdown list.
    View the list of SP assertions in the table.
  5. To save report data in a comma-separated values (CSV) file, click the
    CSV Report
    button.
    The CSV file downloads.
  6. To refresh the data on this dashboard immediately, click
    Refresh
    . To configure an automatic refresh, click the arrow next to it and then select
    1 minute
    ,
    5 minutes
    , or
    10 minutes
    . You can also
    Disable
    automatic refresh from this menu.
  7. To view details for a specific session, click the ID under the
    Session ID
    column.

What data can you monitor for the SAML SP Assertions dashboard?

The SP Assertions screen shows several charts that you can use to track the health of your SAML SP assertions. See the notes below to learn more about each field for which you can record data.

What fields are in this dashboard?

Field
Functionality
Session ID
Click the session ID to open the Session Details screen, displaying session details and session variables. From this screen, you can monitor log messages and customize your log message report by severity. Selecting
Emergency
will show only the most severe warnings, and selecting
Debug
will display the lowest severity messages.
Assertion Time
This field displays the time and date when the SP assertion occurred.
Name
This field displays the SP service.
User Name
This field displays the username attempting to sign on with Single Sign-ON (SSO).
HostName
This field displays managed BIG-IP device hostname.
Platform
This field displays the operating system of the client's machine.
Cluster
This field displays the cluster attached to the SP service.

About SAML SP error reports

BIG-IQ Access users can generate SAML SP error reports to view a full length log for all error messages originating from a managed BIG-IP device serving as a SAML SP. To do so, use the SAML SP Error Report screen in BIG-IQ. Data appears when you configure statistics collection. Controls on this screen work together so you can fine-tune the statistics display.

View and configure SP error reports

Before BIG-IQ can display Access report data for a managed BIG-IP device, you must first complete the following tasks:
  • Add the managed BIG-IP device to the BIG-IQ Centralized Management inventory
  • Discover and import the managed BIG-IP device
  • Have a BIG-IQ user enable Access remote logging configuration on the managed BIG-IP device
To discover and import a configuration and deploy configurations to a managed BIG-IP device, users must belong to one of the following RBAC roles:
  • Admin
  • Access Manager
  • Access Deployer
Only a BIG-IP device with SAML provisioned on it can provide data for SAML reports.
The SP Errors screen shows several charts that you can use to track the health of your SAML SP errors. Controls on this screen work together so you can fine-tune the statistics display.
  1. Navigate to
    Monitoring
    DASHBOARDS
    Access
    Federation
    SAML
    SP
    SP Error Reports
    .
    The SP Error Reports screen opens, displaying the error logs.
  2. At the top left of the screen, from the
    ACCESS GROUP/DEVICES
    list, either select one of the first two options (
    All Devices
    and
    All Managed Devices
    ) or select one or more of the other options (
    <
    Access group name
    >
    ,
    <
    Cluster display name
    >
    , or
    <
    Device name
    >
    ).
    • All Managed Devices
      Includes all Access devices that are currently discovered.
    • <
      Access group name
      >
      Select to include all devices in the Access group.
    • <
      Cluster display name
      >
      Select to include the devices in the cluster.
    • <
      Device name
      >
      Select to include the device. You can select any device from
      Managed Devices
      ,
      <
      Access group name
      >
      , or
      <
      Cluster display name
      >
      .
  3. From the
    TIMEFRAME
    menu, specify a time frame:
    • Select a predefined time period. These range from
      Last hour
      to
      Last 3 months
      .
    • Set a custom time period. Select
      Between
      ,
      After
      , or
      Before
      , and click the additional fields that display the set dates and times that support your selection.
  4. To view data for a specific SAML service provider, select one from the
    SP
    dropdown list.
    View the list of service provider errors in the table on the dashboard.
  5. To save report data in a comma-separated values (CSV) file, click the
    CSV Report
    button.
    The CSV file downloads.
  6. To refresh the data on this dashboard immediately, click
    Refresh
    . To configure an automatic refresh, click the arrow next to it and then select
    1 minute
    ,
    5 minutes
    , or
    10 minutes
    . You can also
    Disable
    automatic refresh from this menu.
  7. View the list of service provider errors in the table on the dashboard.
  8. To view details for a specific session, click the ID under the
    Session ID
    column.

What data can you monitor for the SAML SP Error Reports?

The SP Errors screen shows several charts that you can use to track the health of your SAML SP errors. See the notes below to learn more about each field for which you can record data.

What fields are in this dashboard?

Field
Functionality
Local Time
This field displays the time and date the error message occurred.
HostName
This field displays the hostname of the managed BIG-IP device from which this error message originated.
Session ID
Click the session ID to open the Session Details screen, displaying session details and session variables. From this screen, you can monitor log messages and customize your log message report by severity. Selecting
Emergency
will show only the most severe warnings, and selecting
Debug
will display the lowest severity messages.
Log Level
This field displays the log level of the error message.
Message
This field displays the error message.

About summary reports for SAML identity providers

BIG-IQ Access users can configure managed BIG-IP devices with APM provisioned to act as a SAML Identity Provider (IdP) for Software as a Service (SaaS) applications. Configure managed BIG-IP devices as a SAML IdP to enable Single-Sign On to common applications. Once you have configured a BIG-IP device as an IdP, use BIG-IQ to track the health of your SAML IdP resource. Using the IdP Summary dashboard, you can view a variety of metrics to monitor SAML assertions and IdP errors.
Data appears on this dashboard when you configure statistics collection. Controls on this screen work together so you can fine-tune the statistics display.

View and configure Identity Provider summary reports

Before BIG-IQ can display Access report data for a managed BIG-IP device, you must first complete the following tasks:
  • Add the managed BIG-IP device to the BIG-IQ Centralized Management inventory
  • Discover and import the managed BIG-IP device
  • Have a BIG-IQ user enable Access remote logging configuration on the managed BIG-IP device
To discover and import a configuration and deploy configurations to a managed BIG-IP device, users must belong to one of the following RBAC roles:
  • Admin
  • Access Manager
  • Access Deployer
Only a managed BIG-IP device with SAML provisioned can provide data for SAML reports.
Use BIG-IQ Centralized Management to generate a SAML Identity Provider report. The IdP Summary report shows several charts that you can use to track the health of your SAML IdP resource.
  1. Navigate to
    Monitoring
    DASHBOARDS
    Access
    Federation
    SAML
    IdP
    IdP Summary
    .
    The IdP Summary screen opens, displaying a dashboard with summary information.
  2. At the top left of the screen, from the
    ACCESS GROUP/DEVICES
    list, either select one of the first two options (
    All Devices
    and
    All Managed Devices
    ) or select one or more of the other options (
    <
    Access group name
    >
    ,
    <
    Cluster display name
    >
    , or
    <
    Device name
    >
    ).
    • All Managed Devices
      Includes all Access devices that are currently discovered.
    • <
      Access group name
      >
      Select to include all devices in the Access group.
    • <
      Cluster display name
      >
      Select to include the devices in the cluster.
    • <
      Device name
      >
      Select to include the device. You can select any device from
      Managed Devices
      ,
      <
      Access group name
      >
      , or
      <
      Cluster display name
      >
      .
  3. From the
    TIMEFRAME
    menu, specify a time frame:
    • Select a predefined time period. These range from
      Last hour
      to
      Last 3 months
      .
    • Set a custom time period. Select
      Between
      ,
      After
      , or
      Before
      , and click the additional fields that display the set dates and times that support your selection.
  4. From the
    IdP
    dropdown menu, select one SAML identity provider to view a report for that resource.
  5. To save report data in a comma-separated values (CSV) file, click the
    CSV Report
    button.
    The CSV file downloads.
  6. To refresh the data on this dashboard immediately, click
    Refresh
    . To configure an automatic refresh, click the arrow next to it and then select
    1 minute
    ,
    5 minutes
    , or
    10 minutes
    . You can also
    Disable
    automatic refresh from this menu.
  7. To learn more details for the categories across the top of the page, select
    Assertions Success
    and
    Assertions Failed
    . A screen appears with additional metrics for this recorded category.
    For example, if you are interested in viewing all successful assertions from a particular OAuth identity provider, select
    Successful Assertions
    . Then select an identity provider under the chart titled
    TOP 10 IDPs WITH SUCCESSFUL ASSERTIONS
    . Continue drilling down for a more customized report.
  8. To view details for a specific session, click the ID under the
    Session ID
    column.
  9. To exit the nested view or to move up one level, select the breadcrumbs links at the top of the dashboard you want to navigate to.
  10. Under the
    IDP ASSERTIONS OVER TIME
    line chart, select any of the metrics in order to remove or add each metric for the IdP assertion chart.
  11. You can use the bar charts to drill down and generate a customized report. These charts are
    TOP 10 SPs WITH SUCCESSFUL ASSERTIONS
    ,
    TOP 10 USERS
    ,
    TOP 10 SUBJECT VALUES WITH SUCCESSFUL ASSERTIONS
    , and
    TOP 10 SPs WITH FAILED ASSERTIONS
    .
    For example, if you wanted to view data for a specific user and for a particular client IP address, select the user you are interested in from under the
    TOP 10 USERS
    dashboard and then select the IP address under the
    TOP 10 CLIENT IP's
    dashboard.
    As you drill down, you will be able to view customized combinations of data.

What data can you monitor for the SAML Identity Provider Summary dashboard?

The IdP Summary screen shows several charts that you can use to track the health of your SAML IdP resource. Each chart displays a different category of collected data.

What charts are in this dashboard?

Chart
Functionality
Assertions Success
This chart displays the total number of successful IdP assertions.
Assertions Failed
This chart displays the total number of failed IdP assertions.
IDP ASSERTIONS OVER TIME
This chart displays a line chart for IdP assertions over time.
TOP 10 SPs WITH SUCCESSFUL ASSERTIONS
This chart displays the top ten SPs with successful assertions.
TOP 10 USERS
This chart displays the top ten users who have attempted to sign in using a SAML IdP.
TOP 10 SUBJECT VALUES WITH SUCCESSFUL ASSERTIONS
This chart displays the top subject values with successful assertions.
TOP 10 IDPs WITH FAILED ASSERTIONS
This chart displays the top ten IdPs with failed assertions.

About monitoring IdP assertion data

BIG-IQ Access users can monitor SAML Identity Provider assertion data using the IdP Assertions dashboard. The IdP Assertions screen shows several charts that you can use to track the health of your SAML IdP assertions. Data appears when you configure statistics collection. Controls on this screen work together so you can fine-tune the statistics display.

View and configure IdP assertion reports

Before BIG-IQ can display Access report data for a managed BIG-IP device, you must first complete the following tasks:
  • Add the managed BIG-IP device to the BIG-IQ Centralized Management inventory
  • Discover and import the managed BIG-IP device
  • Have a BIG-IQ user enable Access remote logging configuration on the managed BIG-IP device
To discover and import a configuration and deploy configurations to a managed BIG-IP device, users must belong to one of the following RBAC roles:
  • Admin
  • Access Manager
  • Access Deployer
Only a managed BIG-IP device with SAML provisioned on it can provide data for SAML reports.
The IdP Assertions screen shows several charts that you can use to track the health of your SAML IdP assertions. Controls on this screen work together so you can fine-tune the statistics display.
  1. Click
    Monitoring
    DASHBOARDS
    Access
    Federation
    SAML
    IdP Assertions
    The IdP Assertions screen opens, displaying a table with assertion information.
  2. At the top left of the screen, from the
    ACCESS GROUP/DEVICES
    list, either select one of the first two options (
    All Devices
    and
    All Managed Devices
    ) or select one or more of the other options (
    <
    Access group name
    >
    ,
    <
    Cluster display name
    >
    , or
    <
    Device name
    >
    ).
    • All Managed Devices
      Includes all Access devices that are currently discovered.
    • <
      Access group name
      >
      Select to include all devices in the Access group.
    • <
      Cluster display name
      >
      Select to include the devices in the cluster.
    • <
      Device name
      >
      Select to include the device. You can select any device from
      Managed Devices
      ,
      <
      Access group name
      >
      , or
      <
      Cluster display name
      >
      .
  3. From the
    TIMEFRAME
    menu, specify a time frame:
    • Select a predefined time period. These range from
      Last hour
      to
      Last 3 months
      .
    • Set a custom time period. Select
      Between
      ,
      After
      , or
      Before
      , and click the additional fields that display the set dates and times that support your selection.
  4. From the
    IdP
    dropdown menu, select one SAML identity provider to view a report for that resource.
  5. To save report data in a comma-separated values (CSV) file, click the
    CSV Report
    button.
    The CSV file downloads.
  6. To refresh the data on this dashboard immediately, click
    Refresh
    . To configure an automatic refresh, click the arrow next to it and then select
    1 minute
    ,
    5 minutes
    , or
    10 minutes
    . You can also
    Disable
    automatic refresh from this menu.
  7. View a list of IdP assertions in the dashboard for the selected SAML identity provider.
  8. To view details for a specific session, click the ID under the
    Session ID
    column.

What data can you monitor for the SAML IdP Assertions dashboard?

The IdP Assertions screen shows several charts that you can use to track the health of your SAML IdPs assertions. See the notes below to learn more about each field for which you can record data.

What field can you monitor in this dashboard?

Field
Functionality
Session ID
Click the session ID to open the Session Details screen, displaying session details and session variables. From this screen, you can monitor log messages and customize your log message report by severity. Selecting
Emergency
will show only the most severe warnings, and selecting
Debug
will display the lowest severity messages.
Assertion Time
This field displays the time and date when the SP assertion occurred.
Name
This field displays the name of the IdP service.
User Name
This field displays the username of the person using the managed BIG-IP device.
HostName
This field displays managed BIG-IP device hostname.
Platform
This field displays the operating system of the client's machine.
Cluster
This field displays the cluster attached to the IdP service.

About SAML Identity Provider error reports

BIG-IQ Access users can generate SAML IdP error reports to view a full length log for all error messages originating from a managed BIG-IP device serving as a SAML IdP. To do so, use the SAML IdP Error Report screen in BIG-IQ. Data appears on the dashboard when you configure statistics collection. Controls on this screen work together so you can fine-tune the statistics display.

View and configure IdP error reports

Before BIG-IQ can display Access report data for a managed BIG-IP device, you must first complete the following tasks:
  • Add the managed BIG-IP device to the BIG-IQ Centralized Management inventory
  • Discover and import the managed BIG-IP device
  • Have a BIG-IQ user enable Access remote logging configuration on the managed BIG-IP device
To discover and import a configuration and deploy configurations to a managed BIG-IP device, users must belong to one of the following RBAC roles:
  • Admin
  • Access Manager
  • Access Deployer
Only a managed BIG-IP device with SAML provisioned on it can provide data for SAML reports.
The IdP Errors screen shows several charts that you can use to track the health of your SAML IdP errors. Controls on this screen work together so you can fine-tune the statistics display.
  1. Select
    Monitoring
    DASHBOARDS
    Access
    Federation
    SAML
    IdP
    IdP Error Report
    .
    The IdP Errors screen opens, displaying a table with reported errors.
  2. At the top left of the screen, from the
    ACCESS GROUP/DEVICES
    list, either select one of the first two options (
    All Devices
    and
    All Managed Devices
    ) or select one or more of the other options (
    <
    Access group name
    >
    ,
    <
    Cluster display name
    >
    , or
    <
    Device name
    >
    ).
    • All Managed Devices
      Includes all Access devices that are currently discovered.
    • <
      Access group name
      >
      Select to include all devices in the Access group.
    • <
      Cluster display name
      >
      Select to include the devices in the cluster.
    • <
      Device name
      >
      Select to include the device. You can select any device from
      Managed Devices
      ,
      <
      Access group name
      >
      , or
      <
      Cluster display name
      >
      .
  3. From the
    TIMEFRAME
    menu, specify a time frame:
    • Select a predefined time period. These range from
      Last hour
      to
      Last 3 months
      .
    • Set a custom time period. Select
      Between
      ,
      After
      , or
      Before
      , and click the additional fields that display the set dates and times that support your selection.
  4. From the
    IdP
    dropdown menu, select one SAML identity provider to view a report for that resource.
    View a list of IdP errors in this dashboard.
  5. To save report data in a comma-separated values (CSV) file, click the
    CSV Report
    button.
    The CSV file downloads.
  6. To refresh the data on this dashboard immediately, click
    Refresh
    . To configure an automatic refresh, click the arrow next to it and then select
    1 minute
    ,
    5 minutes
    , or
    10 minutes
    . You can also
    Disable
    automatic refresh from this menu.
  7. To view details for a specific session, click the ID under the
    Session ID
    column.

What data can you monitor for the SAML IdP Error dashboard?

The IdP Errors screen shows several charts that you can use to track the health of your SAML IdP errors. Each chart displays a different category of collected data.

What is in this dashboard?

Value
Functionality
Local Time
This field displays the time and date the error message occurred.
HostName
This field displays the hostname of the managed BIG-IP that generated this error message.
Session ID
Click the session ID to open the Session Details screen, displaying session details and session variables. From this screen, you can monitor log messages and customize your log message report by severity. Selecting
Emergency
will show only the most severe warnings, and selecting
Debug
will display the lowest severity messages.
Log Level
This field displays the log level of the error message.
Message
This field displays the error message.