Using the Identity Provider Event Log effectively combines knowing when to look at it (every SSO troubleshooting and security investigation) and how to extract data from it (filtering, exporting, alerting). The steps below cover both.
- Open the log
Setup > Identity > Identity Provider Event Log. The page lists events in reverse chronological order.
- Filter to the scenario
Use the column filters to narrow by user, Service Provider, event type, or status. Most troubleshooting starts with a specific user and time window.
- Read the Details field
Click into a specific event to see the Details field. Error messages here are usually specific enough to identify the cause directly.
- Cross-reference with SP-side logs
For SSO troubleshooting, the IdP log shows what Salesforce sent. The SP-side log shows what the SP received and how it interpreted. Compare to identify mismatches.
- Export for incident response
For security investigations, export the relevant events as part of the incident documentation. The standard list view export covers small volumes; Event Monitoring covers larger.
- Set up alerts (with Event Monitoring)
For real-time detection, build SIEM alerts on Event Monitoring data for patterns like repeated SSO failures or successful logins from unexpected SPs.
- Schedule regular log review
Add a recurring review for any orgs running Salesforce as the IdP for multiple SPs. Pattern changes in the log often surface misconfigurations or pending issues.
Narrow log to a specific Salesforce user. The starting point for user-specific troubleshooting.
Narrow to a specific Connected App. Useful when one downstream app is failing while others work.
Login success, login failure, configuration change. Focus on failure events for troubleshooting.
Long-horizon export to external SIEM. Required for compliance-grade audit retention.
Combine IdP log and SP-side log to identify configuration mismatches.
- The log covers only Salesforce-as-IdP scenarios. Salesforce-as-SP logins show in Login History; do not confuse the two.
- Default retention is limited. Without Event Monitoring, the log may not preserve far enough back for compliance investigations.
- Events cannot be deleted or modified. The log is read-only; document by screenshot or export for any preservable evidence.
- Some SP-side errors are not visible in the IdP log because they happen after Salesforce sent the assertion. Compare with SP-side logs for the complete picture.
- Failed SSO attempts that did not reach Salesforce produce no IdP log entry. Network-level failures, DNS issues, or SP-side errors before contacting the IdP are invisible here.