Identity Threat Protection key concepts
Learn about the key concepts and components of Okta Identity Threat Protection with Okta AI (ITP) to better understand how the identity security solution protects your org.
User session concepts
- User session
- The Okta session or app sessions that are associated with an Okta session.
- Okta session
- The state during which a user is authenticated and authorized to access apps that are secured by Okta. The Okta session starts when a user successfully signs in to Okta. An Okta session can be associated with one or more app sessions during which the user interacts with the app's resources. Okta maintains this state with the user by issuing an Okta session cookie to the user (client).
- App session
- The state that's maintained by an app after a user authenticates with Okta and is granted access to the app. The app maintains this state with the user by issuing an app session cookie to the user (client).
- Session context change
- A user's IP or device context may change during a session. When such a change is detected, ITP reevaluates the user risk. It also reevaluates behavior when the session context change is associated with a user request. ITP logs this information as user.session.context.change events in the System Log.
- Session violation
- When ITP detects a session context change, it reevaluates your global session and authentication policies for all active app sessions. A session violation occurs when the requirements in the matched policy rules aren't satisfied by the user sessions. The policy.auth_reevaluate.fail event in the System Log indicates a session violation.
Risk types and associated policies
- Risk engine
- A key component of Okta AI. In ITP, the Okta risk engine calculates login, session, and entity risk. Login risk is calculated during authentication. After authentication, the risk engine calculates the session risk. The risk engine also aids Behavior Detection and ThreatInsight. ITP uses the risk engine to collect feedback from admins and users, reevaluate global session policy and authentication policies, and drive entity risk policy evaluation.
- Session risk
- When an IP or device context change occurs during an active user session, ITP assesses the probability of the session being compromised and calculates the risk level. ITP checks for patterns of session hijacking, such as token theft and replay. The potential impact of session risk is limited to the Okta session and the apps that the user accesses through that session. In the System Log, the user.session.context.change event indicates a session context change. This event includes information about risk level and the reason for the change. When a session violation occurs, the session protection policy automatically takes remediation actions that you've configured.
Session risk, session context change, and session violation drive the session protection policy. In this policy you can configure adaptive remediation actions when a session violation occurs. The policy.auth_reevaluate.action event in the System Log indicates remediation actions that are taken by session protection policy as a response to the session protection violation. See Session protection.
- Entity risk
- ITP assesses the probability of a user account being compromised based on access across devices, sessions, and apps. ITP assesses entity risk even if the user doesn't have an active session. Since the entity risk is evaluated on the user account, it's also called entity user risk. ITP evaluates the risk based on Okta-sourced entity risk detections and signals or detections received from security event providers through the Shared Signals Framework (SSF) and Continuous Access Evaluation Protocol (CAEP). In the System Log, the user.risk.detect event indicates entity user risk level detections.
In the entity risk policy, you can configure adaptive remediation actions (Universal Logout or Workflows) in response to entity risk detections. You can set multiple rules that target different threats and define conditions by user group, entity risk detection, and risk level. See Entity risk policy.