This article explains how to gather data on user application logins and differentiate between Identity Provider (IdP)- initiated and Service Provider (SP)- initiated logins. An IdP-initiated login occurs when the user clicks the application tile from their dashboard. An SP-initiated login occurs when the user authenticates directly from the application's login page. The Application Access report queries the system log to show when users access any application integration.

• Reports

1. Navigate to the Admin console.
2. Go to Reports > Reports.
3. Under the System log panel (on the right-hand side of the screen), click Application access. This action opens the System Log page with a pre-populated query that shows all application logins.

4. Specify a date range to filter the report. NOTE: System log events are retained for 90 days.

5. To filter for all IdP-initiated login events, use the following query:

   eventType eq "user.authentication.sso" and debugContext.debugData.initiationType eq "IDP_INITIATED"

6. To filter for all SP-initiated login events, use the following query:

   eventType eq "user.authentication.sso" and debugContext.debugData.initiationType eq "SP_INITIATED"

7. Click Download CSV to export the filtered results.

Related References

• Application Access report