Okta user signed in via IDP
Description
AlphaSOC detected that a user signed in to Okta through an Identity Provider (IDP). While IDP authentication is a legitimate feature that enables single sign-on capabilities, monitoring these sign-ins is important as threat actors can exploit trusted relationships between organizations to gain unauthorized access. Adversaries may compromise an IDP or use stolen credentials to authenticate through federated identity systems.
Impact
Unauthorized IDP sign-ins could allow threat actors to access multiple connected applications and services through a single compromised entry point. This federated access can lead to lateral movement across the organization's cloud infrastructure, data exfiltration, and persistence within the environment.
Severity
| Severity | Condition |
|---|---|
Informational | Okta user signed in via IDP |
Investigation and Remediation
Review Okta system logs to identify the source of the login and verify this action was authorized. If unauthorized, immediately reset the user's credentials across all connected systems, revoke all active sessions, review audit logs for any unauthorized actions, audit connected applications for potential compromise, and review IDP trust relationships and configurations.