Detects when an administrator successfully signs in into a newly created identity provider.

While this may be a legitimate action (such as logging in to a test IDP), if an attacker were able to perform this action it would enable them to access applications on behalf of others users.

Recommended Actions

Please confirm this is a known and expected event. If not, escalate immediately.

Compatibility

Okta

Default Detection Settings

Number of days since idp created: 90