Resolution
Login events are not automatically audited when using SSO. You could add something similar to this under the SSO Authentication Rule (text in black represents additions) to audit these logins:
<Rule
language="beanshell"
name="SSO Authentication Rule - Example"
type="SSOAuthentication">
<Source><![CDATA[
// Needed to log AuditEvents
import sailpoint.server.Auditor;
...
String userFromHeader = httpRequest.getHeader( USER_DN );
String authServer = httpRequest.getHeader( AUTHDIR_NAME );
Application app = mapAuthDirToApp( ctx, authServer );
Correlator correlator = new Correlator( ctx );
Link link = correlator.findLinkByNativeIdentity( app,
userFromHeader );
Identity user = null;
if ( link != null ) {
user = link.getIdentity();
// Write that down.
if ( Auditor.isEnabled( AuditEvent.ActionLogin ) ) // Check to see if there is auditing logging first...
Auditor.log( AuditEvent.ActionLogin, // Logging actions pertaining to logins.
userFromHeader, // The USER_DN from the HTTP Header
user );// The Identity we mapped
} else {
// Login fails
if ( Auditor.isEnabled( AuditEvent.ActionLoginFailure ) ) // Check to see if there is auditing logging first
Auditor.log( AuditEvent.ActionLoginFailure, // Logging an action pertaining to how much this login failed.
userFromHeader ); // The USER_DN from the HTTP Header (or lack thereof) which caused the login failure.
}
return user;
]]></Source>
</Rule>