While the data available in a SAML context is very limited it can be together with other supporting tools such as a SIEM provide enough data to prove either or not whatever happened.
Eg. the following text during a successful login
Feb 29 14:17:47 simplesamlphp NOTICE STAT [1dddb4dd04] User 'test' has been successfully authenticated.
sha256: 9a5780abcd0957eb3fc6b69592985b08ef0883decb28901a28c6ad1cf0aa8c36
And the following for a two factor in addition to l/p
2016-02-29 14:17:47 | [1dddb4dd04] 4xxxxxx5
sha256: e8a6bdf19eaa2551a76cc8583149153dc7e2cdceae4f56a330eb07a2034c3341
sha256 + twofa log
0519e13f6e9afccaea907e8f9f3df007529c2fbbe216c45f8e2cbc5036cce34d
This could be stored in a asset named 'test' since the context is a user with the userid as primary key. The further chaining can follow the within the same asset or be extended to also include more context such as source or destination (webpage).
