From 1b51bf89b55282276093551203c12ccb25963a8d Mon Sep 17 00:00:00 2001 From: nerda-codes Date: Thu, 25 Sep 2025 15:39:45 +0200 Subject: [PATCH 1/9] docs(add): first part --- .../reference-content/iam-authentication-logs.mdx | 11 +++++++++++ 1 file changed, 11 insertions(+) create mode 100644 pages/audit-trail/reference-content/iam-authentication-logs.mdx diff --git a/pages/audit-trail/reference-content/iam-authentication-logs.mdx b/pages/audit-trail/reference-content/iam-authentication-logs.mdx new file mode 100644 index 0000000000..b98c3a59d4 --- /dev/null +++ b/pages/audit-trail/reference-content/iam-authentication-logs.mdx @@ -0,0 +1,11 @@ +--- +title: IAM authentication logs in Audit Trail +description: Discover which IAM events are logged in Audit Trail and what they mean. +tags: audit-trail iam-authentication iam-logs authentication-logs +dates: + validation: 2025-09-30 + posted: 2025-09-30 +--- + +This page explains how to differentiate IAM member login methods and understand what is logged whenever you log in as an IAM member. + From 5b45d6b25b60275e15a35d5981b304aa2b00a732 Mon Sep 17 00:00:00 2001 From: nerda-codes Date: Tue, 30 Sep 2025 12:51:23 +0200 Subject: [PATCH 2/9] docs(add): saml and auth methods --- .../iam-authentication-logs.mdx | 103 +++++++++++++++++- 1 file changed, 102 insertions(+), 1 deletion(-) diff --git a/pages/audit-trail/reference-content/iam-authentication-logs.mdx b/pages/audit-trail/reference-content/iam-authentication-logs.mdx index b98c3a59d4..cccbb317cf 100644 --- a/pages/audit-trail/reference-content/iam-authentication-logs.mdx +++ b/pages/audit-trail/reference-content/iam-authentication-logs.mdx @@ -7,5 +7,106 @@ dates: posted: 2025-09-30 --- -This page explains how to differentiate IAM member login methods and understand what is logged whenever you log in as an IAM member. +This page explains how to differentiate IAM member authentication methods and understand and how they appear in Audit Trail. + + +## 1. Authentication code login + +This flow allows a user to log in using an **authentication code** sent via email. + +- `InitiateMagicCodeLogin` + Sends the user an email containing a 6-digit authentication code. + +- `CreateMagicCodeLogin` + Authenticates the user based on their username and the 6-digit authentication codee received. + +If multifactor authentication (MFA) is required, the flow proceeds to `CheckLoginMFAOTP`. Otherwise, the flow redirects to `CommitLogin`. + + +## 2. Password login + +This is the standard login method using a username and password. + +- `CreatePasswordLogin` + Authenticates the user with their username and password. + +If MFA is required, the system verifies it through `CheckLoginMFAOTP`. If not, the flow continues directly to `CommitLogin`. + + + +## 3. OAuth2 login + +This flow is based on external OAuth2 authentication providers. + +- `InitiateOAuth2Login` + Redirects the user to the external OAuth2 provider for authentication. + +- `CreateOAuth2Login` + Finalizes authentication once the OAuth2 provider confirms the user identity. + +As with the other methods, if MFA is required, `CheckLoginMFAOTP` is triggered before committing the login. Otherwise, the flow continues to `CommitLogin`. + + +## 4. SAML login + +This flow integrates with **SAML (Security Assertion Markup Language)** for Single Sign-On (SSO). +It allows you to set up identity federation on your Organization and provide your teams with secure access to their via an Identity Provider (IdP). + +- `InitiateSamlLogin` + Starts the SAML login process and redirects the user to the Identity Provider (IdP). + +- `CreateSamlLogin` + Finalizes authentication once the SAML response is received and validated. + +- `EnableOrganizationSaml` + Activates SAML authentication for the organization. + +- `AddSamlCertificate` + Adds a certificate used to validate SAML assertions. + +- `UpdateSaml` + Updates the SAML configuration for the organization. + +- `DeleteSaml` + Removes the SAML configuration for the organization. + +- `DeleteSamlCertificate` + Deletes an existing SAML certificate. + +- `CreateJWT` + Creates a JWT token after successful SAML authentication. + +- `DeleteJWT` + Deletes a previously issued JWT token. + +## Common steps + +- `CheckLoginMFAOTP` + Validates the Multi-Factor Authentication one-time password (OTP) if required. + +- `CommitLogin` + The final step of the login process. Transforms the authenticated session into a JWT (JSON Web Token). + + +## Summary of authentication methods + +| Method name | Description | Authentication flow | +|---------------------------|--------------------------------------------------------------------|--------------------------| +| **InitiateMagicCodeLogin**| Sends the user an email containing a 6-digit authentication code. | Authentication code login | +| **CreateMagicCodeLogin** | Authenticates using username and the 6-digit authentication code. | Authentication code login | +| **CreatePasswordLogin** | Authenticates using username and password. | Password login | +| **InitiateOAuth2Login** | Redirects the user to the OAuth2 provider for authentication. | OAuth2 login | +| **CreateOAuth2Login** | Finalizes authentication after OAuth2 provider confirmation. | OAuth2 login | +| **InitiateSamlLogin** | Starts the SAML login process and redirects to the IdP. | SAML login | +| **CreateSamlLogin** | Finalizes authentication after receiving SAML response. | SAML login | +| **EnableOrganizationSaml**| Enables SAML authentication for the organization. | SAML login | +| **AddSamlCertificate** | Adds a certificate to validate SAML assertions. | SAML login | +| **UpdateSaml** | Updates SAML configuration. | SAML login | +| **DeleteSaml** | Deletes SAML configuration. | SAML login | +| **DeleteSamlCertificate** | Removes a SAML certificate. | SAML login | +| **CreateJWT** | Issues a JWT token after successful SAML authentication. | SAML login | +| **DeleteJWT** | Deletes a previously issued JWT token. | SAML login | +| **CheckLoginMFAOTP** | Validates the MFA one-time password if required. | All flows (if MFA) | +| **CommitLogin** | Finalizes login and transforms the session into a JWT. | All flows | + From 223cb4205563862a9295ef9be5eba505c53e85b9 Mon Sep 17 00:00:00 2001 From: nerda-codes Date: Tue, 30 Sep 2025 12:52:51 +0200 Subject: [PATCH 3/9] docs(fix): rm typos --- .../reference-content/iam-authentication-logs.mdx | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/pages/audit-trail/reference-content/iam-authentication-logs.mdx b/pages/audit-trail/reference-content/iam-authentication-logs.mdx index cccbb317cf..0dc209960d 100644 --- a/pages/audit-trail/reference-content/iam-authentication-logs.mdx +++ b/pages/audit-trail/reference-content/iam-authentication-logs.mdx @@ -10,7 +10,7 @@ dates: This page explains how to differentiate IAM member authentication methods and understand and how they appear in Audit Trail. -## 1. Authentication code login +## Authentication code login This flow allows a user to log in using an **authentication code** sent via email. @@ -23,7 +23,7 @@ This flow allows a user to log in using an **authentication code** sent via emai If multifactor authentication (MFA) is required, the flow proceeds to `CheckLoginMFAOTP`. Otherwise, the flow redirects to `CommitLogin`. -## 2. Password login +## Password login This is the standard login method using a username and password. @@ -34,7 +34,7 @@ If MFA is required, the system verifies it through `CheckLoginMFAOTP`. If not, t -## 3. OAuth2 login +## OAuth2 login This flow is based on external OAuth2 authentication providers. @@ -47,7 +47,7 @@ This flow is based on external OAuth2 authentication providers. As with the other methods, if MFA is required, `CheckLoginMFAOTP` is triggered before committing the login. Otherwise, the flow continues to `CommitLogin`. -## 4. SAML login +## SAML login This flow integrates with **SAML (Security Assertion Markup Language)** for Single Sign-On (SSO). It allows you to set up identity federation on your Organization and provide your teams with secure access to their via an Identity Provider (IdP). From 04b92925d366a2f4bf4ebc1c7b6cbf15b4a978bf Mon Sep 17 00:00:00 2001 From: nerda-codes Date: Tue, 30 Sep 2025 15:54:03 +0200 Subject: [PATCH 4/9] docs(add): feedback --- .../iam-authentication-logs.mdx | 45 +++++-------------- 1 file changed, 12 insertions(+), 33 deletions(-) diff --git a/pages/audit-trail/reference-content/iam-authentication-logs.mdx b/pages/audit-trail/reference-content/iam-authentication-logs.mdx index 0dc209960d..2c8ff55fff 100644 --- a/pages/audit-trail/reference-content/iam-authentication-logs.mdx +++ b/pages/audit-trail/reference-content/iam-authentication-logs.mdx @@ -9,6 +9,7 @@ dates: This page explains how to differentiate IAM member authentication methods and understand and how they appear in Audit Trail. +This page only covers **Unauthenticated API** methods that actually perform and/or complete an authentication step. ## Authentication code login @@ -52,32 +53,13 @@ As with the other methods, if MFA is required, `CheckLoginMFAOTP` is triggered b This flow integrates with **SAML (Security Assertion Markup Language)** for Single Sign-On (SSO). It allows you to set up identity federation on your Organization and provide your teams with secure access to their via an Identity Provider (IdP). -- `InitiateSamlLogin` - Starts the SAML login process and redirects the user to the Identity Provider (IdP). +- `InitiateSamlLogin`**` + Starts the SAML login and redirects the user to the IdP. - `CreateSamlLogin` Finalizes authentication once the SAML response is received and validated. -- `EnableOrganizationSaml` - Activates SAML authentication for the organization. - -- `AddSamlCertificate` - Adds a certificate used to validate SAML assertions. - -- `UpdateSaml` - Updates the SAML configuration for the organization. - -- `DeleteSaml` - Removes the SAML configuration for the organization. - -- `DeleteSamlCertificate` - Deletes an existing SAML certificate. - -- `CreateJWT` - Creates a JWT token after successful SAML authentication. - -- `DeleteJWT` - Deletes a previously issued JWT token. +As with the other methods, if MFA is required, `CheckLoginMFAOTP` is triggered before committing the login. Otherwise, the flow continues to `CommitLogin`. ## Common steps @@ -87,6 +69,9 @@ It allows you to set up identity federation on your Organization and provide you - `CommitLogin` The final step of the login process. Transforms the authenticated session into a JWT (JSON Web Token). +- `RenewJWT` + Exchanges a valid login session/refresh context for a new JWT without re-authenticating credentials. + ## Summary of authentication methods @@ -97,16 +82,10 @@ It allows you to set up identity federation on your Organization and provide you | **CreatePasswordLogin** | Authenticates using username and password. | Password login | | **InitiateOAuth2Login** | Redirects the user to the OAuth2 provider for authentication. | OAuth2 login | | **CreateOAuth2Login** | Finalizes authentication after OAuth2 provider confirmation. | OAuth2 login | -| **InitiateSamlLogin** | Starts the SAML login process and redirects to the IdP. | SAML login | -| **CreateSamlLogin** | Finalizes authentication after receiving SAML response. | SAML login | -| **EnableOrganizationSaml**| Enables SAML authentication for the organization. | SAML login | -| **AddSamlCertificate** | Adds a certificate to validate SAML assertions. | SAML login | -| **UpdateSaml** | Updates SAML configuration. | SAML login | -| **DeleteSaml** | Deletes SAML configuration. | SAML login | -| **DeleteSamlCertificate** | Removes a SAML certificate. | SAML login | -| **CreateJWT** | Issues a JWT token after successful SAML authentication. | SAML login | -| **DeleteJWT** | Deletes a previously issued JWT token. | SAML login | -| **CheckLoginMFAOTP** | Validates the MFA one-time password if required. | All flows (if MFA) | -| **CommitLogin** | Finalizes login and transforms the session into a JWT. | All flows | +| **InitiateSamlLogin** | Redirects the user to the SAML IdP. | SAML Login | +| **CreateSamlLogin** | Finalizes login after SAML response validation. | SAML Login | +| **CheckLoginMFAOTP** | Validates MFA OTP when required. | All flows (if MFA) | +| **CommitLogin** | Commits login and issues the JWT. | All flows | +| **RenewJWT** | Renews the JWT without full re-authentication. | Session maintenance | From d40f2129cfe2e2c2ce159348c8c9d9a788bca2e2 Mon Sep 17 00:00:00 2001 From: nerda-codes Date: Tue, 30 Sep 2025 15:55:02 +0200 Subject: [PATCH 5/9] docs(fix): typo --- .../audit-trail/reference-content/iam-authentication-logs.mdx | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pages/audit-trail/reference-content/iam-authentication-logs.mdx b/pages/audit-trail/reference-content/iam-authentication-logs.mdx index 2c8ff55fff..d1bf09a3e4 100644 --- a/pages/audit-trail/reference-content/iam-authentication-logs.mdx +++ b/pages/audit-trail/reference-content/iam-authentication-logs.mdx @@ -82,8 +82,8 @@ As with the other methods, if MFA is required, `CheckLoginMFAOTP` is triggered b | **CreatePasswordLogin** | Authenticates using username and password. | Password login | | **InitiateOAuth2Login** | Redirects the user to the OAuth2 provider for authentication. | OAuth2 login | | **CreateOAuth2Login** | Finalizes authentication after OAuth2 provider confirmation. | OAuth2 login | -| **InitiateSamlLogin** | Redirects the user to the SAML IdP. | SAML Login | -| **CreateSamlLogin** | Finalizes login after SAML response validation. | SAML Login | +| **InitiateSamlLogin** | Redirects the user to the SAML IdP. | SAML login | +| **CreateSamlLogin** | Finalizes login after SAML response validation. | SAML login | | **CheckLoginMFAOTP** | Validates MFA OTP when required. | All flows (if MFA) | | **CommitLogin** | Commits login and issues the JWT. | All flows | | **RenewJWT** | Renews the JWT without full re-authentication. | Session maintenance | From 17907bc11f78bdd646c8b731a0cfd1ca9f733188 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?N=C3=A9da?= <87707325+nerda-codes@users.noreply.github.com> Date: Tue, 30 Sep 2025 17:42:59 +0200 Subject: [PATCH 6/9] Apply suggestions from code review --- .../audit-trail/reference-content/iam-authentication-logs.mdx | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pages/audit-trail/reference-content/iam-authentication-logs.mdx b/pages/audit-trail/reference-content/iam-authentication-logs.mdx index d1bf09a3e4..59d71c3540 100644 --- a/pages/audit-trail/reference-content/iam-authentication-logs.mdx +++ b/pages/audit-trail/reference-content/iam-authentication-logs.mdx @@ -1,5 +1,5 @@ --- -title: IAM authentication logs in Audit Trail +title: IAM authentication events in Audit Trail description: Discover which IAM events are logged in Audit Trail and what they mean. tags: audit-trail iam-authentication iam-logs authentication-logs dates: @@ -26,7 +26,7 @@ If multifactor authentication (MFA) is required, the flow proceeds to `CheckLogi ## Password login -This is the standard login method using a username and password. +This method allows you to authenticate using a username and password. - `CreatePasswordLogin` Authenticates the user with their username and password. From 5ada20d7133877f609759c8c200f27efc11d82f9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?N=C3=A9da?= <87707325+nerda-codes@users.noreply.github.com> Date: Wed, 1 Oct 2025 10:16:17 +0200 Subject: [PATCH 7/9] Apply suggestions from code review --- .../audit-trail/reference-content/iam-authentication-logs.mdx | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pages/audit-trail/reference-content/iam-authentication-logs.mdx b/pages/audit-trail/reference-content/iam-authentication-logs.mdx index 59d71c3540..633c3435a1 100644 --- a/pages/audit-trail/reference-content/iam-authentication-logs.mdx +++ b/pages/audit-trail/reference-content/iam-authentication-logs.mdx @@ -51,7 +51,7 @@ As with the other methods, if MFA is required, `CheckLoginMFAOTP` is triggered b ## SAML login This flow integrates with **SAML (Security Assertion Markup Language)** for Single Sign-On (SSO). -It allows you to set up identity federation on your Organization and provide your teams with secure access to their via an Identity Provider (IdP). +It allows you to set up identity federation on your Organization and provide your teams with secure access to their accounts via an Identity Provider (IdP). - `InitiateSamlLogin`**` Starts the SAML login and redirects the user to the IdP. @@ -70,7 +70,7 @@ As with the other methods, if MFA is required, `CheckLoginMFAOTP` is triggered b The final step of the login process. Transforms the authenticated session into a JWT (JSON Web Token). - `RenewJWT` - Exchanges a valid login session/refresh context for a new JWT without re-authenticating credentials. + Exchanges a valid login session/refresh context for a new JWT without re-authenticating credentials. JWTs are valid during 1 hour. If a member refreshes the Scaleway console or performs actions more than 1 hour after the last creation or update of a JWT, the JWT will be renewed. ## Summary of authentication methods From 27d183af1f98c23f3e521fecd43dae69dbba8d9a Mon Sep 17 00:00:00 2001 From: nerda-codes Date: Wed, 1 Oct 2025 10:28:40 +0200 Subject: [PATCH 8/9] docs(add): feedback --- .../reference-content/iam-authentication-logs.mdx | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/pages/audit-trail/reference-content/iam-authentication-logs.mdx b/pages/audit-trail/reference-content/iam-authentication-logs.mdx index 633c3435a1..c9bcbabe2c 100644 --- a/pages/audit-trail/reference-content/iam-authentication-logs.mdx +++ b/pages/audit-trail/reference-content/iam-authentication-logs.mdx @@ -3,11 +3,11 @@ title: IAM authentication events in Audit Trail description: Discover which IAM events are logged in Audit Trail and what they mean. tags: audit-trail iam-authentication iam-logs authentication-logs dates: - validation: 2025-09-30 - posted: 2025-09-30 + validation: 2025-10-01 + posted: 2025-10-01 --- -This page explains how to differentiate IAM member authentication methods and understand and how they appear in Audit Trail. +This page explains how to differentiate IAM members authentication methods and understand and how they appear in Audit Trail. This page only covers **Unauthenticated API** methods that actually perform and/or complete an authentication step. @@ -19,7 +19,7 @@ This flow allows a user to log in using an **authentication code** sent via emai Sends the user an email containing a 6-digit authentication code. - `CreateMagicCodeLogin` - Authenticates the user based on their username and the 6-digit authentication codee received. + Authenticates the user based on their username and the 6-digit authentication code received. If multifactor authentication (MFA) is required, the flow proceeds to `CheckLoginMFAOTP`. Otherwise, the flow redirects to `CommitLogin`. @@ -53,7 +53,7 @@ As with the other methods, if MFA is required, `CheckLoginMFAOTP` is triggered b This flow integrates with **SAML (Security Assertion Markup Language)** for Single Sign-On (SSO). It allows you to set up identity federation on your Organization and provide your teams with secure access to their accounts via an Identity Provider (IdP). -- `InitiateSamlLogin`**` +- `InitiateSamlLogin` Starts the SAML login and redirects the user to the IdP. - `CreateSamlLogin` @@ -70,7 +70,7 @@ As with the other methods, if MFA is required, `CheckLoginMFAOTP` is triggered b The final step of the login process. Transforms the authenticated session into a JWT (JSON Web Token). - `RenewJWT` - Exchanges a valid login session/refresh context for a new JWT without re-authenticating credentials. JWTs are valid during 1 hour. If a member refreshes the Scaleway console or performs actions more than 1 hour after the last creation or update of a JWT, the JWT will be renewed. + Exchanges a valid login session/refresh context for a new JWT without re-authenticating credentials. JWTs are valid for 1 hour. If a member refreshes the Scaleway console or performs actions more than 1 hour after the last creation or update of a JWT, the JWT will be renewed. ## Summary of authentication methods From e8b00310317a25c7da484b66d344e90e6274adb2 Mon Sep 17 00:00:00 2001 From: nerda-codes Date: Wed, 1 Oct 2025 10:30:14 +0200 Subject: [PATCH 9/9] docs(add): add menu entry --- menu/navigation.json | 4 ++++ ...-authentication-logs.mdx => iam-authentication-events.mdx} | 0 2 files changed, 4 insertions(+) rename pages/audit-trail/reference-content/{iam-authentication-logs.mdx => iam-authentication-events.mdx} (100%) diff --git a/menu/navigation.json b/menu/navigation.json index 78e4643b3f..56f542e363 100644 --- a/menu/navigation.json +++ b/menu/navigation.json @@ -3763,6 +3763,10 @@ "label": "Audit Trail product integration", "slug": "resource-integration-with-adt" }, + { + "label": "IAM authentication events in Audit Trail", + "slug": "iam-authentication-events" + }, { "label": "Supported endpoints for Audit Trail", "slug": "adt-supported-endpoints" diff --git a/pages/audit-trail/reference-content/iam-authentication-logs.mdx b/pages/audit-trail/reference-content/iam-authentication-events.mdx similarity index 100% rename from pages/audit-trail/reference-content/iam-authentication-logs.mdx rename to pages/audit-trail/reference-content/iam-authentication-events.mdx