Post auth session evaluation with Identity Threat Protection

During an Okta session, after the initial authentication, Identity Threat Protection with Okta AI (ITP) continuously monitors the user activity for changes in IP address and device context. By default, ITP uses signals from Okta Verify. ITP also uses signals from any endpoint security solutions that you've integrated with Okta Verify and signals from security event providers that you've configured using Shared Signals Framework (SSF).

When an IP or device context change is detected, ITP reevaluates the global session policy for the Okta session. It also reevaluates authentication policies (including device context conditions) for all active app sessions that are associated with the Okta session.

Using the post auth session evaluation policy, you can configure automated remediation actions that ITP takes if there's a session violation.

Monitor post auth session violations

By default, all session violations are recorded in the System Log as policy.auth_reevaluate.fail events to help you understand the security posture of your environment. You can view policy fail events and analyze historical data with these methods:

• On the Admin Dashboard, Post auth session violations widget provides a quick overview of policy failure events in a given timeframe.
• Session Violation Report provides detailed interactive insights. You can export this data for further analysis.
• In the System Log events for Identity Threat Protection you can focus on details of a particular event.

Enforce post auth session evaluation policy

You can configure the post auth session evaluation policy to take automated actions in response to session violations. For example, you can prompt users for multifactor authentication, terminate app sessions with Universal Logout, or trigger custom actions with Okta Workflows. See Enforce post auth session evaluation policy.