Okta API calls indicating Okta identity provider creation
AlphaSOC detected the creation of a new identity provider (IDP) in Okta. IDPs manage user authentication and enable integration with external authentication systems. While legitimate IDP creation is part of normal administration, unauthorized IDP creation could indicate malicious activity. Threat actors may create unauthorized IDPs to establish persistent access and potentially bypass existing authentication controls.
Impact
The creation of unauthorized IDPs can enable threat actors to create backdoor accounts, potentially bypass multi-factor authentication (MFA), and establish persistent access to organizational resources. This could lead to unauthorized data access, lateral movement within the environment, and compromise of connected applications and services.
Severity
| Severity | Condition |
|---|---|
Informational | Unexpected action, ASN, or user agent |
Low | Two unexpected properties at the same time |
Medium | Three unexpected properties at the same time |
Investigation and Remediation
Review the Okta system logs to identify the administrator who created the IDP and verify that its creation aligns with the organization's change management processes. Examine the IDP's configuration settings for unusual permissions or non-standard authentication settings. If the IDP creation is determined to be unauthorized, disable the IDP, revoke any associated credentials, and conduct a thorough audit of user access across potentially affected applications.