Okta Desktop Single Sign On (DSSO) from unexpected profile source

Docs > Datadog Security > OOTB Rules > Okta Desktop Single Sign On (DSSO) from unexpected profile source

Classification:

attack

Tactic:

TA0001-initial-access

Technique:

T1078-valid-accounts

Goal

Detects Okta Desktop Single Sign On through a non‑priority profile source.

Strategy

This rule monitors Okta authentication events for user.authentication.dsso_via_non_priority_source events.

The debugContext.debugData object contains the prioritized profile source and the actual profile source used during the DSSO attempt for {{@debugContext.debugData.oktaUserEmail}}.

The highest priority profile source is typically expected in this flow. The presence of this log event might be benign or might indicate an attempt to authenticate the user from a compromised Active Directory domain or another source that establishes user profiles in Okta.

Triage & Response

Examine surrounding login events for {{@debugContext.debugData.oktaUserEmail}} to confirm abnormal behavior.
Identify the profile used, {{@debugContext.debugData.incomingProfileSourceInstanceId}}, and validate it is trusted and expected for the organization within the Okta Admin console.
Analyze subsequent activity by {{@debugContext.debugData.oktaUserEmail}} after the DSSO event, including sensitive application access or administrative changes, to evaluate risk.
If the access event is unexpected or resulted in suspicious activities, initiate your incident response plan.