Configure a shared signal transmitter

Okta uses the Shared Signals Framework (SSF) to send security-related events and other data-subject signals to third-party security vendors. Configure an SSF transmitter to manage stream configurations between the SSF receiver and Okta.

The Okta SSF transmitter supports two types of Continuous Access Evaluation Protocol (CAEP) events: Session Revoked and Credential Change. Those events are mapped to an Okta event.

Configure app integration in Okta

  1. In the Admin Console, go to ApplicationsApplications.

  2. Click Create App Integration.

  3. Choose OIDC - OpenID Connect as the Sign-in method, and Web Application as the Application type. Click Next.

  4. On the New Web App Integration page, enter the following:

    • App Integration Name: Your app name

    • Grant type: Check the boxes for Authorization Code and Refresh Token.

    • Sign-in redirect URIs: Enter your app's sign-in redirect URI.

    • Assignments: For the initial app integration, assign the app to your admin.

  5. Click Save.

  6. Click the Okta API Scopes tab. In the list of API Scopes, locate ssf.manage and ssf.read scopes and click Grant for each. If you're unable to locate ssf.manage and ssf.read in the API Scopes list, contact your Okta account representative.

  7. Click the General tab, which contains the information that you add to the receiver. Make note of the Client ID and Client Secret to add in the next step.

Initiate stream creation from the receiver

Use the Okta SSF Config URL https://yourOktaOrgURL/.well-known/ssf-configuration and follow instructions provided by the SSF Receiver to create a stream on the Okta Transmitter. For an example, see Configure Apple Business Manager or refer to Create an SSF stream.

Set up SCIM between your receiver and Okta

This optional step enables you to link identities between Okta and the SSF receiver.

Create a custom app integration with SCIM provisioning enabled. See Add SCIM provisioning to app integrations.

Assign your users, including yourself, to the new app to link identities between Okta and the receiver. For an example, see Set up Directory Sync between Apple and Okta .

Transmit shared signals

To view and manage your transmitter's streams, go to SecurityDevice Integrations. Select Transmit shared signals.

The Okta Transmitter supports two CAEP events: Session Revoked and Credential Change. If a CAEP Credential Change event is fired, the Security Event Token payload contains one of the following phrases in the reason_admin field:

  • Activate factor for user

  • Reset factor for user

  • Suspend factor for user

  • Unsuspend factor for user

  • Update factor for user

  • Fired when the user's Okta password is reset

  • User update password for Okta

For payload structure examples, see SSF Transmitter SET payload structures.

Stream actions

After a stream is created, it appears in the stream list. If you want to verify or remove a stream, click Actions and select an option from the dropdown menu:

  • Verify stream: Request a Verification Event to be transmitted over the stream. Successful receipt of the event (on the Receiver) confirms that the stream is configured correctly.

  • Delete: Removes the stream from your org

System Log events

System Log events are triggered for the following actions.

  • security.events.transmitter.create: Create stream

  • security.events.transmitter.delete: Delete stream

  • event_hook.delivery: SET delivery failure

Related topics

Get started with app integrations

Learn about app integrations