-
Notifications
You must be signed in to change notification settings - Fork 258
audit-trail(add): iam authentication methods #5589
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Merged
Merged
Changes from 7 commits
Commits
Show all changes
9 commits
Select commit
Hold shift + click to select a range
1b51bf8
docs(add): first part
nerda-codes 5b45d6b
docs(add): saml and auth methods
nerda-codes 223cb42
docs(fix): rm typos
nerda-codes 04b9292
docs(add): feedback
nerda-codes d40f212
docs(fix): typo
nerda-codes 17907bc
Apply suggestions from code review
nerda-codes 5ada20d
Apply suggestions from code review
nerda-codes 27d183a
docs(add): feedback
nerda-codes e8b0031
docs(add): add menu entry
nerda-codes File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
91 changes: 91 additions & 0 deletions
91
pages/audit-trail/reference-content/iam-authentication-logs.mdx
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,91 @@ | ||
| --- | ||
| title: IAM authentication events in Audit Trail | ||
| description: Discover which IAM events are logged in Audit Trail and what they mean. | ||
| tags: audit-trail iam-authentication iam-logs authentication-logs | ||
| dates: | ||
| validation: 2025-09-30 | ||
| posted: 2025-09-30 | ||
| --- | ||
|
|
||
| This page explains how to differentiate IAM member authentication methods and understand and how they appear in Audit Trail. | ||
|
|
||
| This page only covers **Unauthenticated API** methods that actually perform and/or complete an authentication step. | ||
|
|
||
| ## Authentication code login | ||
|
|
||
| This flow allows a user to log in using an **authentication code** sent via email. | ||
|
|
||
| - `InitiateMagicCodeLogin` | ||
| Sends the user an email containing a 6-digit authentication code. | ||
|
|
||
| - `CreateMagicCodeLogin` | ||
| Authenticates the user based on their username and the 6-digit authentication codee received. | ||
nerda-codes marked this conversation as resolved.
Outdated
Show resolved
Hide resolved
|
||
|
|
||
| If multifactor authentication (MFA) is required, the flow proceeds to `CheckLoginMFAOTP`. Otherwise, the flow redirects to `CommitLogin`. | ||
|
|
||
|
|
||
| ## Password login | ||
|
|
||
| This method allows you to authenticate using a username and password. | ||
|
|
||
| - `CreatePasswordLogin` | ||
| Authenticates the user with their username and password. | ||
|
|
||
| If MFA is required, the system verifies it through `CheckLoginMFAOTP`. If not, the flow continues directly to `CommitLogin`. | ||
|
|
||
|
|
||
|
|
||
| ## OAuth2 login | ||
|
|
||
| This flow is based on external OAuth2 authentication providers. | ||
|
|
||
| - `InitiateOAuth2Login` | ||
| Redirects the user to the external OAuth2 provider for authentication. | ||
|
|
||
| - `CreateOAuth2Login` | ||
| Finalizes authentication once the OAuth2 provider confirms the user identity. | ||
|
|
||
| As with the other methods, if MFA is required, `CheckLoginMFAOTP` is triggered before committing the login. Otherwise, the flow continues to `CommitLogin`. | ||
|
|
||
|
|
||
| ## SAML login | ||
|
|
||
| This flow integrates with **SAML (Security Assertion Markup Language)** for Single Sign-On (SSO). | ||
| It allows you to set up identity federation on your Organization and provide your teams with secure access to their accounts via an Identity Provider (IdP). | ||
|
|
||
| - `InitiateSamlLogin`**` | ||
nerda-codes marked this conversation as resolved.
Outdated
Show resolved
Hide resolved
|
||
| Starts the SAML login and redirects the user to the IdP. | ||
|
|
||
| - `CreateSamlLogin` | ||
| Finalizes authentication once the SAML response is received and validated. | ||
|
|
||
| As with the other methods, if MFA is required, `CheckLoginMFAOTP` is triggered before committing the login. Otherwise, the flow continues to `CommitLogin`. | ||
|
|
||
| ## Common steps | ||
|
|
||
| - `CheckLoginMFAOTP` | ||
| Validates the Multi-Factor Authentication one-time password (OTP) if required. | ||
|
|
||
| - `CommitLogin` | ||
| The final step of the login process. Transforms the authenticated session into a JWT (JSON Web Token). | ||
|
|
||
| - `RenewJWT` | ||
| Exchanges a valid login session/refresh context for a new JWT without re-authenticating credentials. JWTs are valid during 1 hour. If a member refreshes the Scaleway console or performs actions more than 1 hour after the last creation or update of a JWT, the JWT will be renewed. | ||
nerda-codes marked this conversation as resolved.
Outdated
Show resolved
Hide resolved
|
||
|
|
||
|
|
||
| ## Summary of authentication methods | ||
|
|
||
| | Method name | Description | Authentication flow | | ||
| |---------------------------|--------------------------------------------------------------------|--------------------------| | ||
| | **InitiateMagicCodeLogin**| Sends the user an email containing a 6-digit authentication code. | Authentication code login | | ||
| | **CreateMagicCodeLogin** | Authenticates using username and the 6-digit authentication code. | Authentication code login | | ||
| | **CreatePasswordLogin** | Authenticates using username and password. | Password login | | ||
| | **InitiateOAuth2Login** | Redirects the user to the OAuth2 provider for authentication. | OAuth2 login | | ||
| | **CreateOAuth2Login** | Finalizes authentication after OAuth2 provider confirmation. | OAuth2 login | | ||
| | **InitiateSamlLogin** | Redirects the user to the SAML IdP. | SAML login | | ||
| | **CreateSamlLogin** | Finalizes login after SAML response validation. | SAML login | | ||
| | **CheckLoginMFAOTP** | Validates MFA OTP when required. | All flows (if MFA) | | ||
| | **CommitLogin** | Commits login and issues the JWT. | All flows | | ||
| | **RenewJWT** | Renews the JWT without full re-authentication. | Session maintenance | | ||
|
|
||
|
|
||
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.