Okta user login via IdP
Description
AlphaSOC detected that a user logged in to Okta through an Identity Provider
(IDP) via the user.authentication.auth_via_IDP event. While IDP authentication
is a legitimate feature that enables single sign-on capabilities, monitoring
these sign-ins is important as threat actors can exploit trusted relationships
between organizations to gain unauthorized access. Adversaries may compromise an
IDP or use stolen credentials to authenticate through federated identity
systems.
Impact
Unauthorized IDP logins could allow threat actors to access multiple connected applications and services through a single compromised entry point. This federated access can lead to lateral movement across the organization's cloud infrastructure, data exfiltration, and persistence within the environment.
Severity
| Severity | Condition |
|---|---|
Informational | Okta user login via IdP |
Investigation and Remediation
Review Okta system logs to identify the source of the login and verify this action was authorized. If unauthorized, immediately reset the user's credentials across all connected systems, revoke all active sessions, review audit logs for any unauthorized actions, audit connected applications for potential compromise, and review IDP trust relationships and configurations.