Shared Signals Framework

Identity Threat Protection (ITP) can take automated responsive actions in your environment or through Workflows when triggered by a first-party Okta event or a third-party integration partner signal. ITP uses the Shared Signals Framework (SSF) to send and receive security-related signals from third-party partners.

What is SSF?

SSF is a specification developed by the OpenID Foundation to standardize how security events are shared between systems. In the SSF, a transmitter sends signals to a receiver about changes in a user's session, credentials, or device. These signals fall into two main profiles: Continuous Access Evaluation Protocols (CAEP) and Risk Incident Sharing and Coordination (RISC). CAEP events generally describe changes to a subject's session, while RISC events describe changes to a subject's account.

Upon receipt of the signals, the receiver evaluates the events and responds with preconfigured actions. In ITP, this means that the risk engine ingests security events and reports them as entity risk detections in the user's profile and in System Log. The events contain risk assessments, which are used by the entity risk policy to initiate remediation actions like Workflows, session revocation, or Universal Logout.

Configuration requirements

Okta can be configured to serve as an SSF transmitter or an SSF receiver, depending on your use case.

• If you want to receive security events from third-party partners, you need to configure Okta as a shared signals receiver and the partner as the transmitter. See Configure a shared signal receiver.

• If you want to communicate risk assessments from Okta to your external partners, configure Okta as a shared signals transmitter. See Configure a shared signal transmitter.

• If you want to transmit signals when a session should be revoked on managed Apple IDs, see Apple Business Manager.