Detects when an administrator configures an additional identity provider.

While this may be a legitimate new creation (such as the creation of a test IDP), if an attacker were able to perform this action it would enable them to access applications on behalf of others users. Logins to this identity provider will be monitored via the "Sign-in from Recently Created IDP" check.

Recommended Actions

Please confirm this is a known and expected event. If not, escalate immediately.

Compatibility

Okta