We’ve spent years making logins harder to beat, but the trust decision still happens at a single point in time. Shared Signals changes that by letting identity systems receive and act on real-time risk from the tools that see it first. Okta’s Identity Threat Protection shows what’s possible, but the real potential lies in ecosystem adoption. When vendors emit and consume risk consistently, identity stops being just the gatekeeper and becomes part of a living, connected security fabric — one that adapts trust dynamically for the entire life of a session.

Authentication is a Moment. Risk is a Timeline.

I first covered this in a short talk at Infosec on the Okta stand. The brief was not to cover an Okta product, but provide a short talk on something innovative in IAM. I chose Shared Signals because it’s not vapourware and it’s not security vendor scare content. It’s here now, it works and it can really make a difference in your security posture.

We Secured the Door, So They Come Through the Window

Modern authentication is strong. Multi-factor checks, adaptive policies, device trust, risk scoring. It works. It’s harder than ever to come in through the front door, so attackers don’t do that anymore. Instead, tokens are stolen. Devices are compromised. Sessions are replayed.

The authentication decision, though, is a moment in time. A single event. It says 'yes' based on the context of a single request and after that the context drifts. A trusted user at login can be a threat minutes later. Most identity systems will never know it happened.

The protocols that made modern IAM possible were built to carry identity and access assertions, not evolving risk. They do their job well, but they stop at the point of entry. Shared Signals extends the model. It’s a standard designed to carry risk information after authentication, so the trust decision can adapt to what’s happening right now and not what was true at login.

Not Just a Bouncer Anymore

An identity provider checks credentials, enforces policy, and issues tokens. It controls access at the front door. Once the application accepts that token, the IdP steps back. 

This is often misunderstood. The IdP is not a proxy and it is not a CASB. It doesn’t sit in the traffic path. Once a session is established, the IdP has no direct control over what happens inside the application. Unless the application requests re‑authentication or step‑up, the IdP has no role and no visibility in what happens at the application. Like a bouncer that doesn’t get updated on a troublemaker inside the pub.

Shared Signals changes that. It enables the IdP to receive and act on real‑time risk information from other systems whether an Endpoint Detection alert, suspicious network behaviour or a sudden change in device compliance.

The IdP moves from gatekeeper to participant in an active, continuous exchange of risk intelligence.

It’s a Message Queue.

It’s not really.

However, the simplest way to understand Shared Signals is to think of it as a message queue. A structured, well understood, agreed way to send events from systems that detect risk to systems that can act on it.

These events are defined in a standard format. They travel in real time. They’re designed to trigger action. This moves us on from dumping alerts into a SIEM, writing custom scripts to parse them, and hoping your integrations still work a month later. It removes the middleman.

Anyone who’s tried to coordinate a response across multiple security and identity tools knows the pain — custom APIs, inconsistent formats, brittle connections that break with the next vendor update. Shared Signals removes that fragility. It provides a common language so different systems can exchange security-relevant context without a bespoke integration for every paired service.

And the sources can be anything that sees something important before your IdP does whether that’s an endpoint detection tool spotting a compromise, a network platform flagging suspicious traffic, a SaaS app marking a user as accessing from a suspicious IP, a threat intel feed exposing stolen credentials, or even your HR system signalling a termination. Yes, a Leaver event! The staple of traditional IAM can become a shared signal and not custom integration with your HR vendor.

Okta Walks the Talk

Okta’s Identity Threat Protection is their implementation of Shared Signals and isn’t just a concept. It’s live and in production. It currently provides support for receiving real‑time risk
events from supported partners like CrowdStrike, Zscaler, and Jamf. Critically though, it also supports custom endpoints meaning if your app can share a signal, Okta can hear it.

When those inbound signals arrive, Okta can evaluate them against policy and takes immediate action. A compromised device alert from CrowdStrike can revoke a user’s active session. A high‑risk traffic flag from Zscaler can trigger step‑up authentication. A non‑compliant device report from Jamf can block access entirely.

These aren’t queued for admin review. They can be configured for automatic execution.

What Okta then wants to be able to do is act more broadly on the event it sees, and trigger events to the applications and services that are interested in that signal. It becomes a broker. The best example of this would be universal logout. So not just taking action in Okta but moving that action to the whole application estate where that risk signal needs to be surfaced. This is part of their IPSIE drive, and specifically relevant to Universal Logout.

Dear Vendors, Please Come to the Party

If you follow the Universal Logout link, you’ll see a line. ‘Configure your application to support Universal Logout’. This here, is the kicker.

Shared Signals is all about collaboration. The vendors must show up with intent.

To unlock the full potential of real-time coordination, adoption needs to expand across SaaS and IaaS platforms, HR, ticketing and operational systems, CI/CD pipelines, and cloud-native tools.

These systems already produce identity-relevant events, but they don’t share them in a standard way. Instead, they silo critical security signals in dashboards, proprietary APIs, or email alerts that get ignored. That fragmentation dismantles the promise of instant action.

This is why Cybersecurity Mesh Architecture (CSMA) is gaining traction: it promotes interoperable, distributed security where each control can both share and consume intelligence natively. 

Shared Signals is key providing the language to connect identity with the rest of the mesh. It’s important to be clear. Shared Signals is not a remote-control protocol. An IdP can receive a risk signal and revoke access, but unless the downstream application supports Universal Logout or token revocation, the user’s session continues in each  application or service where the user has a session until that session dies. Again, you can cobble together integrations now that will handle that on an app-by-app basis, but now we have a standard. Adopt it.

Success depends on ecosystem participation. Vendors need to emit and consume signals, trust the definitions they use, and act on them consistently. That’s how we evolve from point‑in‑time authentication to a connected security mesh. I’ve said many times, in many meetings over the last 20 years ‘Yes. We can do that. Does your application / vendor support it?’ 

This is still that. Make IAM requirements part of your selection criteria.

Your IdP Just Grew Ears

Identity systems have always been the ones asking the questions: Who are you? What’s your password? Can you pass MFA? Once those questions were answered, they stepped aside until the next login prompt. 

Shared Signals changes that dynamic. It turns the identity provider into a listener constantly receiving context from trusted sources, interpreting it, and applying policy in response. The IdP no longer waits for a session to expire. It reacts to risk changes as they happen.

Identity moves from being a checkpoint to an active node in a broader, connected security fabric. One that can adapt trust dynamically throughout the life of a session.

Final Thought

Risk isn’t static. A session that was safe at 9:00 can be compromised by 9:05. Without a way to share and act on that change in real time, our identity systems are making yesterday’s trust decisions.

The technology is here. The early adopters are proving it works. The next step is an ecosystem willing to participate.

Authentication is a moment. Risk is a timeline. Shared Signals is how we connect them.