Analyzing Statistics for Federated Login Attempts

The statistics displayed in the Federated Login Attempts view includes the success and failure login attempts over time that happened through federated identity providers, and the distribution of login attempts over various dimensions such as service providers, identity providers, and users.

The successful authentication attempt for a single federated step is considered a federated authentication success. Similarly, a failed authentication attempt for a single federated step is considered a federated authentication failure.

A failed federated authentication attempt is counted as a failure only if a failed response is received from a federated identity provider.

For detailed information about the common functions of the Security Analytics dashboard, see Analyzing Statistics for Authentication Operations - Using the Security Analytics Dashboard.

Login Attempts Over Time

View (Example)
Description	This gadget indicates the following. The total number of login attempts during the selected time interval. The success and the failure rate for login attempts during the selected time interval. Region map shown in the dashboard may not show all the regions for the login attempts. This is because the packed sample database does not contain complete data for all the IP addresses. Please create a new database with complete data and do necessary configurations in WSO2 IS Analytics Server. See Using Geolocation Based Statistics.
Purpose	This allows you to identify the login attempts handled by IS over time. As a result, you can understand the login patterns and detect deviations that may indicate unusual occurrences such as attacks, system downtime, etc.
Recommended Action	Check the success and failure rate at different time intervals to identify login patterns (e.g., different days of the week, different hours of the day). If there is a deviation from the observed pattern, check for unusual activity (e.g., attacks, system downtime etc.)

Login Attempts Distribution Over Top 10 Service Providers

View (Example)
Description	This gadget ranks the top 10 service providers for the selected time interval based on their successful login attempts as well as failed login attempts. The number of successful/failed login attempts for each service provider is plotted on the chart in order to provide a comparison.
Purpose	This gadget allows you to: Identify the most frequently accessed service providers. Detect unusual occurrences based on significant changes in the frequency with which each service provider is accessed.
Recommended Action	Click on the bars corresponding to different service providers to view successful and failed login attempts filtered by the selected service provider.

Login Attempts Distribution Over Top 10 Identity Providers

View (Example)
Description	This gadget ranks the top 10 federated identity providers for the selected time interval based on their successful login attempts as well as failed login attempts. The number of successful/failed login attempts for each federated identity provider is plotted on the chart in order to provide a comparison.
Purpose	This gadget allows you to: Identify the most frequently accessed federated identity providers. Detect unusual occurrences based on significant changes in the frequency with which each federated identity provider is accessed.
Recommended Action	Click on the bars corresponding to different identity providers to view the login success and failure attempts filtered by the selected identity provider. Click on the Resident Identity Provider link to go to the resident identity provider view.

Login Attempts Distribution Over Top 10 Users

View (Example)
Description	This gadget ranks the top 10 users for the selected time interval based on their successful login attempts as well as failed login attempts. The number of successful/failed login attempts of each user is plotted on the chart in order to provide a comparison.
Purpose	This gadget allows you to: Identify the users that make the most frequent login attempts Detect unusual occurrences based on significant changes in the frequency of the login attempts by each user.
Recommended Action	Click on the bars corresponding to different users to view the successful and failed login attempts filtered by the selected user.

Data Table

View (Example)
Description	This gadget provides a list view of login attempts during the selected time interval. Details including the username, service provider, identity provider, user role, IP, whether the authentication was successful or not, and the time stamp are displayed for each login attempt. The login attempts are sorted by the username by default, but they can also be sorted by other fields in the ascending/descending order if required. WSO2 Identity Server performs the authentication for a login in two stages as follows: Step authentication - This may include one or more authentication steps. Framework authentication If you make a failed login attempt by failing one of the authentication steps, framework authentication is not carried out because the step authentication has failed. An entry is created in the table for each authentication step that was successful, and true is displayed in the Authentication Step Success field for each of these entries.
Purpose	This gadget allows you to identify the individual login attempts made during the selected time interval and view detailed information about them.
Recommended Action	Sort the records by each field available in order to identify the login patterns relating to each Username, Service Provider, Identity Provider, Region, and IP. Deviations from the identified patterns can help you to detect unusual occurrences.