Post auth session evaluation with Identity Threat Protection

During an Okta session, after the initial authentication, Identity Threat Protection with Okta AI (ITP) continuously monitors the user activity for changes in IP address and device context. By default, ITP uses signals from Okta Verify. ITP also uses signals from any endpoint security solutions that you've integrated with Okta Verify and signals from security event providers that you've configured using Shared Signals Framework (SSF).

When an IP or device context change is detected, ITP reevaluates the global session policy for the Okta session. It also reevaluates authentication policies (including device context conditions) for all active app sessions that are associated with the Okta session.

ITP doesn't initiate a reevaluation of your global session and authentication policies when you update them.

Using the post auth session evaluation policy, you can configure automated remediation actions that ITP takes if there's a session violation.

Monitor post auth session violations

By default, all session violations are recorded in the System Log as policy.auth_reevaluate.fail events to help you understand the security posture of your environment. You can view policy fail events and analyze historical data with these methods:

Enforce post auth session evaluation policy

You can configure the post auth session evaluation policy to take automated actions in response to session violations. For example, you can prompt users for multifactor authentication, terminate app sessions with Universal Logout, or trigger custom actions with Okta Workflows. See Enforce post auth session evaluation policy.