+ Start a Discussion
Chris Toews 9Chris Toews 9 

Monitor SAML SSO logins

I'm looking for a way to monitor whether SAML logins are being used

I'm supporting multiple orgs, each org having its own people administering Salesforce.
I'm looking for a way to monitor that SAML logins are being used in these orgs. I want to make sure that the admins don't turn off the SSO, and that the users don't bypass SSO by going to login.salesforce.com (which i can shutoff, but the admins can uncheck), or by going to https://mydomain.my.salesforce.com/?login (which bypasses SSO restrictions)

I know there are reports that can be run to look at logins, but it will be impractical for me to log into each org to run reports to look at logins. I need a method to automatically look at multiple orgs and notify me of offending logins.

What I currently have setup:
I have Heroku setup with Heroku Connect pulling Salesforce data into a postgres database. 
I am syncing two tables for this purpose: authsession, and user.

After some testing, I found that when a user logs in with SSO, the logintype ="SAML Sfdc Initiated SSO".
If the user was using Salesforce1, the logintype = "Remote Access 2.0" and the sessiontype = "Oauth2"
If the user logged in with login.salesforce.com (what i want to monitor) logintype = "Application" and sessiontype = "UI"

So to find the offending logins, where SSO was not used I ran the following query:
from myschema.authsession auth
left join myschema.user usr
	on auth.usersid = usr.sfid
	auth.parentid is null 
	and auth.logintype = 'Application'
	and auth.sessiontype = 'UI'
order by auth.createddate desc
I'm wondering i this is going to catch all logins that don't use SSO, and if there is an easier way to do what I'm trying to do.

Chris Toews

Chris - The authsession object will holds the current user seesion information, if the user session ends then it won't store the information in the object. If you looking for an report which holds past login information, then use the LoginHistory object, which will holds all the login information. You can filter the login information using logintype ="SAML Sfdc Initiated SSO".

If you want to list down the users not using the SSO, then filter your query with the logintype !="SAML Sfdc Initiated SSO". Using that list just compare with the orginal user table to get the user name and other details. You can able to get the browser, application, IP address and other information related to login in the Login History object

Check this link for more details about the LoginHistory Object - https://developer.salesforce.com/docs/atlas.en-us.api.meta/api/sforce_api_objects_loginhistory.htm