Definition
Identity Provider Event Log is a Setup page that records all single sign-on events where Salesforce acts as the identity provider. It logs successful and failed authentication attempts, the target service provider, timestamps, and user details, providing an audit trail for SSO-related security monitoring.
Real-World Example
After a user reports being unable to SSO into the company's expense management tool, the admin at FinServe Bank checks the Identity Provider Event Log. She finds a failed assertion entry showing that the user's SAML attribute mapping was incorrect due to a name change. She updates the mapping and the user can successfully SSO again.
Why Identity Provider Event Log Matters
Identity Provider Event Log is a Setup page in Salesforce that records a detailed audit trail of every single sign-on event where Salesforce acts as the Identity Provider. Each log entry captures the timestamp, the user attempting authentication, the target service provider, the outcome (success or failure), and error details for failed attempts. This visibility is essential for security monitoring, compliance auditing, and troubleshooting SSO issues. When a user reports they cannot access a connected application, the event log provides the exact failure reason, such as an incorrect SAML attribute mapping, expired certificate, or mismatched Federation ID, eliminating guesswork from the debugging process.
As organizations connect more applications through SSO and face stricter compliance requirements, the Identity Provider Event Log becomes a critical security and audit tool. Security teams use the logs to detect suspicious authentication patterns, such as repeated failed SSO attempts from unusual locations or times, which could indicate account compromise attempts. For compliance frameworks like SOC 2, HIPAA, and PCI DSS, the event log provides auditable evidence of authentication controls and access tracking. Organizations that do not regularly monitor their IdP event logs miss early warning signs of security incidents and cannot demonstrate compliance during audits. Setting up automated alerts for unusual patterns, such as multiple failed attempts for a single user, adds a proactive security layer.
How Organizations Use Identity Provider Event Log
- FinServe Bank — When a user at FinServe Bank reported being unable to SSO into the expense management tool, the admin checked the Identity Provider Event Log and found a failed SAML assertion showing an incorrect attribute mapping caused by the user's recent name change. The admin updated the Federation ID mapping, and the user could access the tool within minutes.
- SecureNet Insurance — SecureNet Insurance's security team configured automated alerts on the Identity Provider Event Log to flag any user with more than 5 failed SSO attempts in an hour. When an alert fired for a service account, they discovered that a third-party application had been misconfigured after a vendor update, causing continuous authentication loops.
- AuditReady Financial — AuditReady Financial uses the Identity Provider Event Log to satisfy SOC 2 audit requirements for authentication monitoring. During their annual audit, they export 12 months of IdP event logs showing all SSO authentication attempts, success rates, and failure reasons. The auditors use this data to verify that authentication controls are functioning correctly.