Detecting IDP changes used for Cross Tenant Impersonation

Inline and Event Hooks 2 Minutes

Okta Defensive Cyber Operations have observed that attackers who have obtained Super Admin access are leveraging IdP Federation to impersonate users to gain access to downstream applications. In this post I will discuss how to leverage workflows to alert on any IdP changes. For a more detailed discussion of how to prevent this attack and other detection options please refer to the Security Blog Post: Cross-Tenant Impersonation: Prevention and Detection.

We will be following the general process for receiving and processing events in workflows that I documented previously in Processing Okta Event Hooks with Workflows

The steps required to setup this detection are as follows.

  1. Create an API Endpoint on Demand Workflow in Workflows Console
  2. Create an Event Hook in Okta Admin Console
  3. Update Workflow to capture details and alert
  4. Test the Workflow

Creating Workflow to Receive Events

To create the initial workflow to receive event complete the following by following the instructions outlined in this blog.

Create Event Hook

Create an Identity Provider specific Event Hook by following the instructions provided for event hooks in here and selecting all Identity Provider related events.

  • Fired when an Identity Provider is deleted
  • Fired when an Identity Provider is updated
  • Fired when an Identity Provider is activated
  • Fired when an Identity Provider is created
  • Fired when an Identity Provider is deactivated

You should end up with an event list like follows and there should be no need to filter any of the events.

Update the Workflow

The event hook is delivered as a JSON event object with an event array stored inside a data array. To process this within the workflow we need to do the following.

  1. Parse the JSON object.
  2. Extract the list of events.
  3. Grab the first object and extract the required fields from the Object.
  4. Take an action.

In this example we are going to extract the displayMessage from the event which describes what action was taken and post it to a slack channel. To do this you’ll need to complete the following steps.

  1. Add a JSON Parse Block with output -> data -> events
  2. Extract the first object from the event list with a List At clock with index = 0
  3. Retrieve the displayMessage with an Object Get card
  4. Use the Send Message to Channel Slack card with the output of the Get card as the message text. Note: If you haven’t added Slack as an app yet or need assistance refer to the documentation here
  5. Make sure you save the Workflow and confirm it is saving data and activated.

When you’ve finished this flow should look like the below.

Testing the Workflow

To test the workflow follow the steps below

  1. Head back into admin console and navigate to Workflow -> Event Hooks.
  2. Select the event hook that you created and select Preview
  3. Select an Event Type e.g. Fired when an Identity provider is activated and either select a recent syslog event or leverage the example event as shown below.
  4. Click Deliver Request

You should see Request Delivery Successful and see the event message posted to the chosen integrated Slack channel as shown below.

This is a simple example of processing IdP changes and alerting in Slack. I would recommend linking into a proper alerting or SOAR tool and taking proactive action as soon as any unexpected IdP changes are detected.

Published by Toby Allen

Toby Allen is a Solutions Engineer at Okta focussed on enabling simple secure access to technology everywhere powered by Identity. While working in the communications space for 15 years he developed a keen interest in security, particularly in his 5 years working with communications APIs at Twilio and is a CISSP and CCSP. In 2022 he transitioned fulling into the security space at Okta with Identity as the core enabler of Zero trust and secure access. Holding both an MBA and multiple technical certifications he is able to bridge the gap between executives and technical teams to deliver value to his customers.

Published

Leave a Reply