Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
82 changes: 82 additions & 0 deletions en/asgardeo/docs/guides/insights.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,82 @@
# Insights

Asgardeo provides built-in identity **Insights** that let administrators and organization owners analyze the identity activity of their organization, such as logins, registrations, token issuance, and more.

Insights are available **out of the box**. When your Asgardeo organization is created, Asgardeo automatically provisions a dedicated analytics workspace for your organization and begins publishing your identity events to it. The resulting dashboards are then embedded directly in the **Insights** section of the Asgardeo Console — there is nothing to install, configure, or enable.

## View your insights

To view the insights of your organization:

1. On the Asgardeo Console, go to **Insights**.

2. Explore the available dashboards to analyze activities such as logins, registrations, and token issuance for your organization.

3. Use the duration selector to adjust the time period shown in the dashboards.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Use a shorter phrase than “time period.”

Replace “time period” with “time range” or “duration” to satisfy the wording rule and keep the step concise.
As per coding guidelines: use plain language and short sentences, and avoid wordy phrasing in documentation.

🧰 Tools
🪛 GitHub Check: Vale style check

[warning] 15-15:
[vale] reported by reviewdog 🐶
[WSO2-IAM.TooWordy] 'time period' is too wordy.

Raw Output:
{"message": "[WSO2-IAM.TooWordy] 'time period' is too wordy.", "location": {"path": "en/asgardeo/docs/guides/insights.md", "range": {"start": {"line": 15, "column": 44}}}, "severity": "WARNING"}

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@en/asgardeo/docs/guides/insights.md` at line 15, Change the phrase in the
sentence "Use the duration selector to adjust the time period shown in the
dashboards." by replacing "time period" with a shorter term such as "time range"
or "duration" so the sentence reads e.g. "Use the duration selector to adjust
the time range shown in the dashboards."; update the exact sentence where it
appears to keep wording concise and plain.

Sources: Coding guidelines, Linters/SAST tools


![Asgardeo Insights dashboard]({{base_path}}/assets/img/guides/insights/insights-dashboard.png){: width="700" style="display: block; margin: 0; border: 0.3px solid lightgrey;"}

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify the referenced image asset exists
fd -i 'insights-dashboard.png'

Repository: wso2/docs-is

Length of output: 38


🏁 Script executed:

#!/bin/bash
set -euo pipefail

# 1) Search for the referenced file name anywhere in the repo
echo "== Matches for insights-dashboard.png =="
fd -i 'insights-dashboard.png' || true

# 2) Check the expected relative path (from the repo root)
echo "== Expected path existence check =="
EXPECTED="assets/img/guides/insights/insights-dashboard.png"
if [ -f "$EXPECTED" ]; then
  echo "FOUND: $EXPECTED"
else
  echo "NOT FOUND: $EXPECTED"
fi

# 3) Find all references to the asset in markdown
echo "== References in markdown =="
rg -n --hidden --glob '*.md' "insights-dashboard\.png" . || true

Repository: wso2/docs-is

Length of output: 441


🏁 Script executed:

#!/bin/bash
set -euo pipefail

# List possible similarly-named images
echo "== Matches for *insights*dashboard* (case-insensitive) =="
fd -i '*insights*dashboard*' || true

echo "== Matches for insights-dashboard.* (case-insensitive) =="
fd -i 'insights-dashboard.*' || true

# Inspect the likely directory (if present)
echo "== Directory listing for assets/img/guides/insights =="
ls -la assets/img/guides/insights || true

# Check for any references under the same guides/insights path
echo "== References to assets/img/guides/insights =="
rg -n --hidden --glob '*.md' 'assets/img/guides/insights' . || true

Repository: wso2/docs-is

Length of output: 884


🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== Find any PNGs with insights-dashboard in name (case-insensitive) =="
find . -type f \( -iname "*insights-dashboard*.png" -o -iname "*insights*dashboard*.png" \) | head -n 50

echo "== Find any PNGs with insights in name (case-insensitive) =="
find . -type f \( -iname "*insights*.png" \) | head -n 50

echo "== Find any directories named 'guides/insights' under assets =="
find . -type d -path "*assets*img*guides*insights*" -print | head -n 50

echo "== Check if repo contains 'assets/img/guides/insights' exactly anywhere =="
find . -type f -path "*assets/img/guides/insights/*" -print | head -n 50

echo "== Literal references to assets/img/guides/insights in markdown =="
rg -n --hidden --glob '*.md' 'assets/img/guides/insights' . || true

Repository: wso2/docs-is

Length of output: 2220


🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== Any files with insights-dashboard in name (case-insensitive), any extension =="
find . -type f -iname "*insights-dashboard*" | head -n 50

echo "== Any files with insights dashboard in name (case-insensitive) =="
find . -type f \( -iname "*insights*dashboard*" -o -iname "*dashboard*insights*" \) | head -n 50

echo "== Any directories named 'insights' under assets =="
find . -type d -path "*assets*img*guides*insights*" | head -n 50

echo "== Any references to insights-dashboard.* in markdown =="
rg -n --hidden --glob '*.md' "insights-dashboard" . || true

echo "== Check if any 'assets/img/guides/insights' directories exist under en/asgardeo/docs =="
find ./en/asgardeo/docs -type d -path "*assets/img/guides/insights*" | head -n 50

echo "== Check if a likely asset path exists under en/asgardeo/docs =="
EXPECTED="en/asgardeo/docs/assets/img/guides/insights/insights-dashboard.png"
if [ -f "$EXPECTED" ]; then
  echo "FOUND: $EXPECTED"
else
  echo "NOT FOUND: $EXPECTED"
fi

Repository: wso2/docs-is

Length of output: 1182


Fix broken Insights dashboard image reference.

en/asgardeo/docs/guides/insights.md references {{base_path}}/assets/img/guides/insights/insights-dashboard.png, but en/asgardeo/docs/assets/img/guides/insights/insights-dashboard.png does not exist in this repository. Update the image URL to the correct existing asset or add the missing PNG.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@en/asgardeo/docs/guides/insights.md` at line 17, The markdown in
en/asgardeo/docs/guides/insights.md contains a broken image reference
"{{base_path}}/assets/img/guides/insights/insights-dashboard.png"; locate that
image tag in the file and either update the URL to point to the correct existing
asset path (use the actual filename under en/asgardeo/docs/assets/img/... that
matches the dashboard image) or add the missing PNG file at
en/asgardeo/docs/assets/img/guides/insights/insights-dashboard.png so the
relative path resolves; ensure the updated path keeps the same markup attributes
(width/style) and verify the image renders.

Source: Coding guidelines


## Data retention

By default, your identity analytics data is retained for **3 months**. Insights dashboards reflect activity within this retention window.

If you require **longer data retention** or **additional, customizable dashboards**, you can move to a dedicated [Moesif](https://www.moesif.com/price){:target="_blank"} subscription. With your own Moesif subscription you gain extended retention and the ability to build and customize your own dashboards on top of your identity data.

## Insights and your subscription tier

The depth of the built-in insights available to you depends on your **Asgardeo subscription tier**. Higher tiers unlock more advanced, built-in analytics and dashboards. As you move to a higher Asgardeo tier, additional insights become available automatically in the **Insights** section.

## Data published for insights

During your Asgardeo organization creation, Asgardeo provisions an analytics workspace for your organization and begins publishing identity events to it. These events are used to build the dashboards shown in the **Insights** section.

The following identity events are published. Each event includes contextual attributes about the activity, which may include personal data such as the end user's email, login identifiers (for example, mobile number or NIC where used as login attributes), IP address, and user agent.

<table>
<thead>
<tr>
<th>Event</th>
<th>Description</th>
<th>Key attributes published</th>
</tr>
</thead>
<tbody>
<tr>
<td><b>Authentication</b></td>
<td>Captures user login attempts and the outcome of each authentication step.</td>
<td>Timestamp, username, user ID, user store domain, organization, application, connection (identity provider), authentication step and authenticator, step result (success/failure), session ID, inbound protocol, IP address, and user agent.</td>
</tr>
<tr>
<td><b>Session</b></td>
<td>Captures the lifecycle of user sessions (creation, update, and termination).</td>
<td>Timestamp, session ID, session duration, termination reason, user ID, username, organization, application, connection, session action, and active session count.</td>
</tr>
<tr>
<td><b>Token issuance</b></td>
<td>Captures OAuth2/OpenID Connect token issuance, including machine-to-machine (M2M) tokens.</td>
<td>Timestamp, application (client ID), grant type, user type, user ID and username, user store, issuing and accessing organization, authorized and unauthorized scopes, access/refresh token validity, token ID, whether an existing token was reused, sub-organization request indicator, IP address, and error details (on failure).</td>

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Align organization terminology with the repository style rule.

The text uses “sub-organization.” Vale flags this repo style as “organization” terminology. Please normalize this wording consistently in this page (including section heading and table row attribute text) to avoid repeated style warnings.
As per coding guidelines: use one term per concept consistently and resolve style warnings for documentation.

Also applies to: 80-82

🧰 Tools
🪛 GitHub Check: Vale style check

[warning] 57-57:
[vale] reported by reviewdog 🐶
[WSO2-IAM.Organizations] Avoid using 'sub-organization'. Use 'organization' instead.

Raw Output:
{"message": "[WSO2-IAM.Organizations] Avoid using 'sub-organization'. Use 'organization' instead.", "location": {"path": "en/asgardeo/docs/guides/insights.md", "range": {"start": {"line": 57, "column": 255}}}, "severity": "WARNING"}

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@en/asgardeo/docs/guides/insights.md` at line 57, Replace all occurrences of
the phrase "sub-organization" on this page (including the section heading and
the table row attribute text currently listing "sub-organization request
indicator") with the repository's canonical organization terminology (use the
repo-preferred spelling/term for "organization") so the term is consistent
across the document; update every instance (also referenced around the other
occurrences noted) to match the repo style rule.

Sources: Coding guidelines, Linters/SAST tools

</tr>
<tr>
<td><b>Registration</b></td>
<td>Captures user account creation.</td>
<td>User created timestamp, user store domain, organization, onboarding method (administrator-initiated, self sign-up, or invitation), user ID, and user agent.</td>
</tr>
<tr>
<td><b>Flow</b></td>
<td>Captures step-by-step execution of self-registration, password recovery, and invited-user registration flows, enabling funnel analysis. Steps that occur before the user account exists are tracked under an anonymous identifier, which is linked to the resulting user once the flow completes.</td>
<td>Flow type, step type, node ID and type, context ID, organization, node response status and type, application ID, executor name, cross-organization indicator, timestamp, and error code.</td>
</tr>
<tr>
<td><b>Organization switch</b></td>
<td>Captures when a user switches into (accesses) an organization in a B2B setup.</td>
<td>User's resident (home) organization, accessing organization, application, application tenant, tenant, error code, and timestamp.</td>
</tr>
</tbody>
</table>

!!! note
More event types may be added over time as additional insights become available.

## Insights for sub-organizations

Sub-organization-level insights are published against the **root organization**. This means activity that occurs within your sub-organizations is captured under your root organization's analytics workspace, and you can use this data to analyze and build insights for your sub-organizations as well.
4 changes: 4 additions & 0 deletions en/asgardeo/docs/guides/organization-insights.md
Original file line number Diff line number Diff line change
@@ -1,2 +1,6 @@
{% set product_name = "Asgardeo" %}

!!! note
Looking for the analytics dashboards in the **Insights** section of the Console? See [Insights]({{base_path}}/guides/insights/) for the identity insights that Asgardeo provides out of the box.

{% include "../../../includes/guides/organization-insights.md" %}

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Fix the markdownlint blocker: file must end with exactly one newline.

CI reports MD047/single-trailing-newline for this file. Add a single trailing newline at EOF.
As per coding guidelines: run Vale/lint checks and resolve warnings/errors before finalizing documentation.

🧰 Tools
🪛 GitHub Actions: Markdown Lint / 0_lint.txt

[error] 6-6: markdownlint-cli2 (markdownlint v0.38.0) reported MD047/single-trailing-newline: Files should end with a single newline character.

🪛 GitHub Actions: Markdown Lint / lint

[error] 6-6: markdownlint (MD047/single-trailing-newline): Files should end with a single newline character.

🪛 GitHub Check: lint

[failure] 6-6: Files should end with a single newline character
en/asgardeo/docs/guides/organization-insights.md:6:65 MD047/single-trailing-newline Files should end with a single newline character https://github.com/DavidAnson/markdownlint/blob/v0.38.0/doc/md047.md

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@en/asgardeo/docs/guides/organization-insights.md` at line 6, The file
en/asgardeo/docs/guides/organization-insights.md fails MD047
(single-trailing-newline); open organization-insights.md and ensure the file
ends with exactly one newline character (remove any extra blank lines or missing
newline at EOF), then re-run the Vale/markdown linter to confirm the MD047
warning is resolved.

Sources: Coding guidelines, Pipeline failures

29 changes: 29 additions & 0 deletions en/asgardeo/docs/references/data-residency-in-asgardeo.md
Original file line number Diff line number Diff line change
Expand Up @@ -77,6 +77,35 @@ The profile information of organization administrators includes all the data tha

Data of your end users are only stored in the regional datacenter you selected when onboarding to Asgardeo.

## Analytics data

Asgardeo uses [Moesif](https://www.moesif.com/){:target="_blank"} — an analytics platform in the WSO2 product family — to power the identity [Insights]({{base_path}}/guides/insights/) available in the Console and to support WSO2's product, onboarding, subscription, and usage analytics. To do this, Asgardeo publishes both end-user and administrator data to Moesif for the purposes described below.

Analytics data is published to the Moesif workspace in the **same region you selected during onboarding** — data from US organizations is published to Moesif US, and data from EU organizations is published to Moesif EU. Your analytics data therefore remains within your selected regional boundary. By default, analytics data is retained for **3 months**.

### End-user data published for analytics

Asgardeo's built-in [Insights]({{base_path}}/guides/insights/) publishes your organization's identity events to Moesif to build the analytics dashboards shown in the **Insights** section of the Console.

**Purpose:** to provide you with identity analytics for your organization — such as logins, sessions, token issuance, registrations, registration/recovery funnels, and organization switches.

**Types of data published:** identity events and their contextual attributes, which may include personal data of your end users such as their **email address, login identifiers** (for example, mobile number or NIC where used as login attributes), **IP address,** and **user agent,** in addition to identifiers such as user ID, organization, application, and connection. See [Data published for insights]({{base_path}}/guides/insights/#data-published-for-insights) for the complete list of events and attributes.

### Administrator data published for analytics

In addition to end-user data, Asgardeo publishes certain administrator and organization data to Moesif for WSO2's own product and business analytics.

**Purpose:** to help WSO2 understand organization onboarding and administrator adoption, track subscription and tier changes for billing and business analytics, and measure product usage across organizations.

**Types of data published:**

- **Organization details** — organization ID, organization name/handle, region, activation status, and current subscription tier.
- **Administrator and owner identity** — administrator/owner user ID, email address, and name, along with organization ownership and association details.
- **Subscription data** — current subscription tier and subscription/tier-change activity.
- **Usage data** — aggregated identity activity per organization (such as counts of authentications, registrations, and token issuance) used for usage and metering analytics.

When an organization or an administrator is deleted from Asgardeo, the corresponding profile and analytics records are removed from Moesif as part of the deletion process.

## Data sharing

Some of your data, such as logs, will be accessible outside your selected region to ensure that WSO2's global entities (currently includes the USA, Sri Lanka, and Brazil) can provide technical support and other services. For example, technical support teams outside the region will need access to this data for various support and troubleshooting purposes. However, this data is stored only in the regional
Expand Down
1 change: 1 addition & 0 deletions en/asgardeo/mkdocs.yml
Original file line number Diff line number Diff line change
Expand Up @@ -720,6 +720,7 @@ nav:
- PII in Asgardeo logs: guides/monitoring/pii-in-asgardeo-logs.md
- Asgardeo events: guides/monitoring/asgardeo-events.md
- Organization insights: guides/organization-insights.md
- Insights: guides/insights.md
- Agentic AI:
- MCP Authorization:
- MCP Authorization: guides/agentic-ai/mcp/index.md
Expand Down
159 changes: 159 additions & 0 deletions en/identity-server/next/docs/guides/analytics/moesif-analytics.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,159 @@
# Moesif Analytics

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Use sentence case in the page title.

Change # Moesif Analytics to sentence case (for example, # Moesif analytics) to satisfy the title-style rule.

As per coding guidelines, headings and document titles must use sentence case.

🧰 Tools
🪛 GitHub Check: Vale style check

[warning] 1-1:
[vale] reported by reviewdog 🐶
[WSO2-IAM.SentenceStyleTitles] 'Moesif Analytics' should use sentence-style capitalization.

Raw Output:
{"message": "[WSO2-IAM.SentenceStyleTitles] 'Moesif Analytics' should use sentence-style capitalization.", "location": {"path": "en/identity-server/next/docs/guides/analytics/moesif-analytics.md", "range": {"start": {"line": 1, "column": 3}}}, "severity": "INFO"}


[warning] 1-1:
[vale] reported by reviewdog 🐶
[Vale.Spelling] Did you really mean 'Moesif'?

Raw Output:
{"message": "[Vale.Spelling] Did you really mean 'Moesif'?", "location": {"path": "en/identity-server/next/docs/guides/analytics/moesif-analytics.md", "range": {"start": {"line": 1, "column": 3}}}, "severity": "WARNING"}

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@en/identity-server/next/docs/guides/analytics/moesif-analytics.md` at line 1,
The page title "# Moesif Analytics" should use sentence case; update the heading
text from "# Moesif Analytics" to "# Moesif analytics" so the document title
follows the sentence-case style rule (locate the top-level heading string
"Moesif Analytics" and change only its capitalization).

Sources: Coding guidelines, Linters/SAST tools


WSO2 Identity Server can publish identity events to [Moesif](https://www.moesif.com/price){:target="_blank"}, a SaaS analytics platform, so that you can build dashboards and analyze the identity activity of your deployment — such as logins, registrations, token issuance, and more.

You manage your own Moesif subscription. You connect your WSO2 Identity Server tenants to your Moesif account, choose which data to publish, and build your own dashboards in Moesif on top of the published data.

## How it works

1. You enable the Moesif integration in WSO2 Identity Server by adding a set of configurations to the `deployment.toml` file. Once these are added, an **Insights** tab becomes visible in the WSO2 Identity Server Console.
2. From the **Insights** settings page in the Console, each tenant configures their Moesif **collector key** and enables the data publishers they need. This is a **per-tenant (tenanted) configuration** — each tenant publishes to its own Moesif workspace.
3. WSO2 Identity Server publishes the selected identity events to Moesif.
4. You build and view your own dashboards in Moesif based on the published data.

!!! note
Sample / pre-built dashboards are planned for a future release but are **not yet available**. For now, you create your own dashboards in Moesif based on the published data.

## Prerequisites

- A Moesif account and subscription. You are responsible for managing your own Moesif subscription, data retention, and access.
- Access to your WSO2 Identity Server `deployment.toml` file to enable the integration.

## Step 1: Enable the Moesif integration

To make the **Insights** tab visible in the Console and enable Moesif publishing, add the following configurations to the `deployment.toml` file of your WSO2 Identity Server and restart the server.

```toml
[analytics.moesif]
enabled = true
provider_url = "https://api.moesif.net/v1"
auth_type = "API_KEY"
api_key_header = "X-Moesif-Application-Id"
stream_version = "1.0.0"
```

!!! note
`provider_url` is the base URL events are published to. The integration appends the
Moesif API path (for example `/actions` or `/users`) per event, so configure the base
URL without a trailing API path. If you publish through an intermediary (for example,
an event gateway), point `provider_url` at it instead.

The following data publishers are available. You can enable the publishers you need (these can also be enabled per tenant from the **Insights** settings page in the Console):

```toml
[identity_mgt.events.schemes.moesifUserAuthenticationPublisher.properties]
enable = true

[identity_mgt.events.schemes.moesifUserRegistrationPublisher.properties]
enable = true

[identity_mgt.events.schemes.moesifFlowPublisher.properties]
enable = true

[identity_mgt.events.schemes.moesifOrgSwitchPublisher.properties]
enable = true

[identity_mgt.events.schemes.moesifUserSessionPublisher.properties]
enable = true

[identity_mgt.events.schemes.moesifOAuthTokenIssuancePublisher.properties]
enable = true
```

Once these configurations are added and the server is restarted, the **Insights** tab appears in the WSO2 Identity Server Console.

## Step 2: Obtain your Moesif collector key

The **collector key** (also called the Application Id) is the write-only key that WSO2 Identity Server uses to publish events to your Moesif workspace. To obtain it:

1. Log in to the [Moesif portal](https://www.moesif.com/){:target="_blank"}.

2. Go to your workspace settings and open the **Collector Application Ids** (API keys) section.

3. Copy the **Collector Application Id** for the workspace you want WSO2 Identity Server to publish to.

![Obtain the Moesif collector key]({{base_path}}/assets/img/guides/analytics/moesif-analytics/moesif-collector-key.png){: width="700" style="display: block; margin: 0; border: 0.3px solid lightgrey;"}

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Confirm screenshot availability or remove image dependencies.

This guide introduces new screenshots, but the current review context does not confirm that these image assets exist and are accessible in the repository build path. Please verify asset presence and rendering, or remove image dependencies from the task flow.

As per coding guidelines, do not reference images unless their existence and accessibility are explicitly confirmed.

Also applies to: 86-86

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@en/identity-server/next/docs/guides/analytics/moesif-analytics.md` at line
69, The image reference markdown line using the path
"{{base_path}}/assets/img/guides/analytics/moesif-analytics/moesif-collector-key.png"
is included but the asset may not exist; verify that this file is present and
reachable in the site build output and that the path/template variable resolves
correctly, or remove/replace the markdown image tags (the line with the Moesif
collector key image and the similar image at lines 86) so the guide does not
reference missing assets; update the markdown to either point to an existing
asset, add the missing image to assets/img/guides/analytics/moesif-analytics/,
or remove the image tags and adjust surrounding text to be self-contained.

Source: Coding guidelines


!!! note
The collector key is a **write-only** key used only to send events to Moesif. Keep a separate collector key per tenant if you want to keep each tenant's analytics data in its own Moesif workspace.

## Step 3: Configure Moesif for a tenant

After the integration is enabled, each tenant configures its own connection to Moesif from the Console:

1. On the WSO2 Identity Server Console, go to **Insights**.

2. On the Insights settings page, enter the Moesif **collector key** you obtained in Step 2 for this tenant.

3. Enable the data publishers you want for this tenant (authentication, session, token issuance, registration, flow, and organization switch).

4. Save the configuration.

![Moesif Insights settings page]({{base_path}}/assets/img/guides/analytics/moesif-analytics/insights-settings.png){: width="700" style="display: block; margin: 0; border: 0.3px solid lightgrey;"}

!!! note
Configuration is **per tenant**. Each tenant publishes data to its own Moesif workspace using its own collector key, so you can keep each tenant's analytics data separate.

## Step 4: Build dashboards in Moesif

Once data starts flowing into Moesif, you can create your own dashboards in the Moesif console based on the published data. Use the attributes published with each event (described below) to build the visualizations and reports you need.

## Data published to Moesif

The following identity events can be published to Moesif. Each event includes contextual attributes about the activity, which may include personal data such as the end user's email, login identifiers (for example, mobile number or NIC where used as login attributes), IP address, and user agent.

<table>
<thead>
<tr>
<th>Event</th>
<th>Publisher</th>
<th>Description</th>
<th>Key attributes published</th>
</tr>
</thead>
<tbody>
<tr>
<td><b>Authentication</b></td>
<td><code>moesifUserAuthenticationPublisher</code></td>
<td>Captures user login attempts and the outcome of each authentication step.</td>
<td>Timestamp, username, user ID, user store domain, tenant/organization, application (service provider), connection (identity provider), authentication step and authenticator, step result (success/failure), session ID, inbound protocol, IP address, and user agent.</td>
</tr>
<tr>
<td><b>Session</b></td>
<td><code>moesifSessionPublisher</code></td>
<td>Captures the lifecycle of user sessions (creation, update, and termination).</td>
<td>Timestamp, session ID, session duration, termination reason, user ID, username, tenant/organization, service provider, identity provider, session action, and active session count.</td>
</tr>
<tr>
<td><b>Token issuance</b></td>
<td><code>moesifTokenPublisher</code></td>
<td>Captures OAuth2/OpenID Connect token issuance, including machine-to-machine (M2M) tokens.</td>
<td>Timestamp, application (client ID), grant type, user type, user ID and username, user store, issuing and accessing organization, authorized and unauthorized scopes, access/refresh token validity, token ID, whether an existing token was reused, sub-organization request indicator, IP address, and error details (on failure).</td>
</tr>
<tr>
<td><b>Registration</b></td>
<td><code>moesifUserRegistrationPublisher</code></td>
<td>Captures user account creation.</td>
<td>User created timestamp, user store domain, tenant/organization, onboarding method (administrator-initiated, self sign-up, or invitation), user ID, and user agent.</td>
</tr>
<tr>
<td><b>Flow</b></td>
<td><code>moesifFlowPublisher</code></td>
<td>Captures step-by-step execution of self-registration, password recovery, and invited-user registration flows, enabling funnel analysis.</td>
<td>Flow type, step type, node ID and type, context ID, tenant/organization, node response status and type, application ID, executor name, cross-organization indicator, timestamp, and error code.</td>
</tr>
<tr>
<td><b>Organization switch</b></td>
<td><code>moesifOrgSwitchPublisher</code></td>
<td>Captures when a user switches into (accesses) an organization in a B2B setup.</td>
<td>User's resident (home) organization, accessing organization, application, application tenant, tenant, error code, and timestamp.</td>
</tr>
</tbody>
</table>

!!! note
More event types may be added over time.

## Insights for sub-organizations

Sub-organization-level events are published against the **root organization**. Activity that occurs within sub-organizations is captured under the root organization's Moesif workspace, so you can use this data to build dashboards for your sub-organizations as well.
1 change: 1 addition & 0 deletions en/identity-server/next/mkdocs.yml
Original file line number Diff line number Diff line change
Expand Up @@ -964,6 +964,7 @@ nav:
- Analyze login attempts: guides/analytics/elk-analytics/analyzing-login-attempts.md
- Analyze active sessions: guides/analytics/elk-analytics/analyzing-active-sessions.md
- ELK Alerts: guides/analytics/elk-analytics/elk-alert-types.md
- Moesif Analytics: guides/analytics/moesif-analytics.md
- Web analytic solutions: guides/analytics/web-analytics-solutions.md
- A/B Testing: guides/analytics/ab-testing.md
- Multitenancy:
Expand Down