Configure a shared signal receiver

Configuring Okta as a shared signal receiver allows Okta to receive security-related events from a security events provider's apps. This integration is based on OpenID Shared Signals and Events Framework specifications.

Setting up the integration requires admins to gather configuration details from the security provider that sends the signals to Okta. After the stream is configured in the Admin Console, Okta can ingest the risk signals as events. See SSF Security Event Tokens API to configure your transmitter to send risk signals as Security Event Tokens (SETs) to Okta.

These signals inform the risk engine and are reported as entity risk detections (user.risk.detect events) in Okta. Okta also publishes the received Shared Signals Framework (SSF) and Continuous Access Evaluation Protocol (CAEP) event encapsulated in a System Log event called security.events.provider.receive_event. The risk assessment communicated in the user.risk.detect event is used by the entity risk policy to configure actions using Workflows, session revocation, or Universal Logout. This ensures that an entity's risk is informed by interactions with threat surfaces outside the scope of identity, like activity on a device, on the network, within an application, or with data.

The SSF integration enables the Okta user to be protected, even if they aren't interacting with Okta.

Before you begin

To receive risk signals from a security events provider, you need to configure the SSF Transmitter. This is done in the security provider app, which provides a JWKS (JSON Web Key Set) that's used in the Admin Console to configure the integration with the security provider's app. Refer to your security provider's documentation for SSF Transmitter configuration.

Security events providers

Identity Threat Protection with Okta AI (ITP) polls Okta Verify continuously to get signals by default. ITP also gets signals from any supported endpoint security integrations like CrowdStrike Falcon and Windows Security Center (if configured).

In addition to Okta-sourced signals, ITP can receive signals from the following security events providers (if configured).

Security providers

App

Cloudflare Cloudflare One Enterprise
CrowdStrike Falcon Okta Verify
Jamf Jamf Security Cloud (Jamf Radar)
Netskope Netskope Cloud Exchange
Okta Okta Verify
Palo Alto Networks Cortex XSIAM
Rubrik Rubrik Security Cloud (RSC)
SGNL All products
Windows Security Center Okta Verify
Zimperium Mobile Threat Defense (formerly known as zIPS)
Zscaler Deception

Configure the security events provider app

Before you can start to see security events in Okta, you must prepare the security provider's app to share information with Okta.

To transmit signals from CrowdStrike Falcon or Windows Security Center to Okta, you must integrate them with Okta Verify. See Endpoint security integrations instead.

In the security provider's app, you generate the Issuer and JWKS URLs that secure the transmission of signals to your Okta org.

These steps walk you through setting up Okta as an SSF receiver with Jamf as a transmitter. Refer to the documentation of your security provider's app to learn more about signal sources, the Shared Signals and Events Framework (SSF), and configuring the security provider application to share signals with Okta.

  1. Sign in to Jamf as a super admin.
  2. Open Integrations SSF Streams.
  3. Click Create new SSF stream.
  4. Enter the audience, which is the URL that identifies the stream. In this case, the audience is your Okta tenant address, for example, https://your-org.oktapreview.com or https://your-org.okta.com.
  5. Click Create.

When the stream is created, Jamf returns a token that's used by SSF receivers that support auto-discovery. This token isn't used by Okta. Instead, copy the Well-known URL to enter in the Admin Console.

Receive shared signals

Enable your Okta org to receive security signals from provider apps using the SSF. The SFF helps create a network between your security provider applications, continuously sharing security information with Okta to prevent and mitigate security threats to your users.

  1. In the Admin Console, go to Security Device Integrations.
  2. Click the Receive shared signals tab.
  3. Click Add stream.
  4. Enter an Integration name.
  5. You can set up the integration with a Well-known URL or the Issuer URL and JWKS (JSON Web Key Set) URL, which come from the transmitter of the signals you're configuring Okta to receive. Select the integration, which in this example is the Well-known URL.
  6. Paste the URL from the security provider application into the Well-known URL field.
  7. Click Create.

If the stream is created successfully, it appears in the stream list in the Admin Console. The status is set to Active by default.

If Okta was unable to create the stream due to an error, a message appears requesting that you add the stream again. Check the URL you entered to ensure it's correct before attempting to connect the stream again.

Stream actions

When a stream has been created, it appears in the stream list. All added streams are Active by default. If you want to edit, deactivate, or remove a stream, click Actions and select an option from the dropdown menu.

Monitor stream events

After you configure an SSF stream, Okta receives Security Event Tokens (SETs) that comply with the CAEP. SETs inform how Okta calculates entity risk, and can be viewed in security.events.provider.receive_event System Log events.

There are several ways that an admin can monitor an SSF stream:

  • View the SET content in security.events.provider.receive_event System Log events.
  • Ensure these are encapsulated in user.risk.detect events.
  • Refer to security provider documentation on the type of risk events supported for transmission that can be received or seen within Okta.
  • Use the Entity risk report to see the entity risks that were detected by Okta.

Related topics

Endpoint security integrations

Detection settings for entity risk policy

Observability with Identity Threat Protection

Event types