Shared Signals: Enhanced Security for All

Published April 26, 2024

Last month, at the Gartner Identity and Access Management Summit in London, industry leaders showcased successful, interoperable implementations of the Shared Signals Framework (SSF) and Continuous Access Evaluation Profile (CAEP). This included Okta, SailPoint, and Cisco as well as security startups SGNL, VeriClouds, and Helisoft.  The SSF suite of standards underpins Zero-Trust architectures and promises to enable a more secure digital future for everyone.

Participants in the interoperability testing as Transmitters and Receivers of the SSF API.

The Shared Signals Framework is a Game Changer

Today’s businesses and their users demand seamless access to services. Often, this involves many concurrent logged in sessions to countless applications - and these sessions can last days or even weeks at a time. Over the course of the session, plenty can change:

  • A user may change their location
  • A malicious application may be found on a device
  • Users may be granted new privileges (or privileges may have been revoked)

Furthermore, there may be suspicious activity on user accounts that have meaningful implications for other dependent services - like an email address that is used to login to many other online services. 

The industry has worked hard over the last decade to make single sign-on and federated identity possible. This greatly improved the experience for users and opened many doors to make adoption of SaaS widespread. However, closing doors when needed was more of an afterthought, and hasn't been fully solved.

While many security solutions now exist, a lot of actionable data sits siloed within individual tools, applications, and dashboards—and it hasn’t historically traveled across service providers. This lack of data sharing constrains the implementation of a Zero Trust security posture.

Enter SSF: the Solution

The Shared Signals Framework is an open API built upon a suite of protocols that enable applications and service providers to communicate about security events in order to make dynamic access and authorization decisions. It acts as a signaling layer on a back channel that helps to secure sessions at near real-time.

Back in 2019, Google introduced a standards-based approach to continuously evaluating access authorization. The Continuous Access Evaluation Profile (CAEP) created a simpler way for IdPs and services to convey information about a given session. Meanwhile, the OpenID Foundation published the Risk & Incident Sharing and Collaboration (RISC) specification to define a standardized way to communicate account-level risk events. The two initiatives merged within the OpenID Foundation and formed the Shared Signals working group. CAEP and RISC are now profiles on top of the Shared Signals Framework (SSF). 

Now a maturing standard, SSF is an API with a standard format for expressing both account-level and session-level Security Events. It offers seamless, privacy-preserving data-sharing about security events between service providers. Organizations can easily integrate SSF into their security infrastructure and begin sending and receiving Security Events across an ecosystem. This enables organizations to deliver Zero Trust security underpinned by continuous risk assessment efficiently and at scale.

Security through Collaboration

In a recent report by the National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA), the authors note that the Shared Signals Framework is an emerging, promising standard gaining traction in the industry. They state “support for and the development of these standards in the enterprise ecosystem will enable a variety of security use cases, ranging from limiting access to managed devices to quickly revoking access when accounts are compromised.” They further recommend broader support for the development and implementation of identity standards as a crucial underpinning of security.

The interoperability session held at the Gartner IAM Summit in London demonstrates, not only the latest in security protocols, but also the industry’s shift towards collaborative security enabled by Open Standards. By sharing these security events across an ecosystem of trusted parties, organizations have more informed Zero Trust implementations and are empowered to mitigate threats more effectively. 

Input to the Work Group

The OIDF Shared Signals Work Group is very active and welcomes a wider set of requirements from implementors. For example, implementors at April's Internet Identity Workshop (IIW) discussed the possibility of using the Shared Signals Framework to communicate lifecycle and security signals between participants (issuers, wallets, etc.) in mobile driving license (mDL) and other digital identity ecosystems. Such an approach would lower the burden on issuing authorities to deploy across wallets and ensure their policies are enforced consistently.

Join us to get involved!

About the OpenID Foundation

The OpenID Foundation (OIDF) is a global open standards body committed to helping people assert their identity wherever they choose. Founded in 2007, we are a community of technical experts leading the creation of open identity standards that are secure, interoperable, and privacy preserving. The Foundation’s OpenID Connect standard is now used by billions of people across millions of applications. In the last five years, the Financial Grade API has become the standard of choice for Open Banking and Open Data implementations, allowing people to access and share data across entities. Today, the OpenID Foundation’s standards are the connective tissue to enable people to assert their identity and access their data at scale, the scale of the internet, enabling “networks of networks” to interoperate globally. Individuals, companies, governments and non-profits are encouraged to join or participate.
Find out more at