Enhancement: Shared Signal Framework Receiver - Support for Risk Level and Token Claims Change Events

:bangbang: The SailPoint Shared Signal Framework Receiver can now receive Risk Level Change and Token Claims Change events from the Shared Signal Framework Transmitter, in addition to the previously supported Device Compliance events, based on the OpenID CAEP security protocol.

Description

The SailPoint Shared Signals Framework (SSF) Receiver now supports CAEP Risk Level Change and CAEP Token Claims Change events. When a security event is received, it is automatically correlated to an identity and enriched with relevant identity context.

Risk Level Change Events:

  • The CAEP Risk Level Events refer to specific, real-time changes in a user’s context or session status that signal increased risk, triggering dynamic security responses, such as a sudden location change, device compromise, or a drop in assurance level, allowing systems to prompt for re-authentication or revoke access to protect resources.
  • For examples,
    • An employee, Chris, is initially assessed as low risk because their device is fully compliant. After a software update is pushed, vendor system detects that Chris has disabled automatic updates and is running a version with known vulnerabilities. This triggers a Risk Level Change event from the SSF transmitter of the vendor which can be received through SailPoint SSF Receiver, increasing Chris’s risk level to medium. You can then take the action based on this response received in the receiver.
    • An employee, Taylor, is considered medium risk because their device, managed by a vendor system, has a few non-critical compliance issues. However, the vendor system now detects that Taylor has disabled FileVault encryption and has installed unauthorized software. This triggers a Risk Level Change event, elevating Taylor’s risk level to high.
    • A new employee, Sam, is initially assessed as low risk. After a week, the vendor system detects that Sam is accessing applications from multiple locations, including a country they are not authorized to work from, but MFA is enabled. This triggers a Risk Level Change event, increasing Sam’s risk level to medium.
    • An employee, Casey, has a medium-risk level due to accessing sensitive applications.
      The vendor system then detects that Casey’s account is being targeted by a credential stuffing attack, with multiple failed login attempts before successful authentication. This triggers a Risk Level Change event, elevating Casey’s risk level to high.

Token Claims Change Events:

  • Token Claims Change Event signals that a user’s identity token claims (like permissions, roles, or resource access) have been updated by the Identity Provider (IdP) after the token was issued, allowing relying parties (applications) to dynamically adjust access for ongoing sessions without requiring immediate re-login, enhancing security.
  • For example,
    • A user, Sarah, has access to a system with specific permissions. If her role changes within the organization (for example, she moves from the marketing team to the finance team), the Token Claims Change event will be triggered. This will signal that her access rights need to be re-evaluated to ensure she only has appropriate access to financial data, maintaining compliance and security. SailPoint SSF Receiver will receive this event and based on that the associated Workflow can be triggered to perform a certain task which will ensure the security of the particular Identity or associated accounts.

Workflow Triggers and Templates:

  • The CAEP Risk Level Change Trigger and CAEP Token Claims Change Trigger fire when the event is received and correlated to an identity.
  • The Create Certification Campaign When Risk Level Changes Workflow template shows how to send an email notification and create a certification campaign when an Identity’s risk level changes from Low to Medium.
  • The Remove Access When Risk Level Changes Workflow template shows how to disable an Identity’s accounts when an identity’s risk level changes to High.
  • The Create a Certification Campaign When Token Claims Change Workflow template shows how to send an email notification and create a certification campaign when an Identity’s claims have changed.

Documentation

Release Details

  • Identity Security Cloud - Available (SaaS).
1 Like