Shared Signals Framework (SSF) RISC Events provide real-time risk and incident sharing capabilities that enable immediate response to account security events and identity lifecycle changes. Unlike traditional Systems of Record that synchronize static data, the RISC Events integration receives real-time security events that signal critical account state changes, credential compromises, and identity risk events across your identity ecosystem.
The RISC Events integration processes account lifecycle and security events including credential change requirements, account disabling and enabling, account purging, identifier changes and recycling, and credential compromise notifications. These events provide immediate visibility into account security state changes that require urgent response, enabling rapid security incident coordination and automated risk mitigation across connected systems.
This integration is particularly valuable for organizations implementing comprehensive security incident response where account security events must trigger immediate coordinated response across multiple systems. By processing RISC events from identity providers, security operations centers, and risk management systems, SGNL can immediately adjust access policies and coordinate security responses based on real-time risk intelligence rather than relying on delayed incident response processes.
Important Event Retention Characteristics: Unlike traditional Systems of Record that maintain persistent data, RISC events are retained in the SGNL graph for a maximum of 30 days. Additionally, each subject (as identified by the sub_id
in the SSF event) can have a maximum of 50 events associated with it - older events will automatically drop off when this limit is exceeded. This event-based retention model is designed to provide real-time security context while maintaining system performance.
To successfully configure the SSF RISC Events integration, you need the ability to configure event sources and establish secure event delivery mechanisms.
Event Source Configuration: You need administrative access to the systems that will generate RISC events, including identity providers, security operations centers, and risk management systems. This includes the ability to configure event destinations and event filtering.
Network and Security Configuration: You need the ability to configure network routing and security policies to enable event sources to deliver events to SGNL endpoints, including any necessary firewall rules, proxy configurations, or network security policies.
The RISC Events integration supports several standardized event types that provide different aspects of account security and risk context:
Account Lifecycle Events: Account Enabled and Account Disabled events provide real-time visibility into account status changes that affect user access capabilities. Account Purged events signal permanent account removal and data cleanup requirements across connected systems.
Credential Security Events: Account Credential Change Required events indicate when users must update their authentication credentials due to security requirements or policy changes. Credential Compromise events signal detected or suspected credential security breaches that require immediate response.
Identity Management Events: Identifier Changed events signal modifications to user identifiers such as usernames or email addresses that require synchronization across systems. Identifier Recycled events indicate when previously used identifiers are being re-assigned to new users, requiring careful access control review.
These events focus specifically on account security and risk management scenarios that require immediate cross-system coordination and response.
Before configuring SGNL, you need to prepare your event sources to generate properly formatted RISC events and deliver them securely to SGNL.
RISC events follow the OpenID Shared Signals Framework specification and are delivered as JSON Web Tokens (JWTs) containing standardized event payloads. Each event includes standard JWT claims (issuer, audience, issued at, JWT ID) plus event-specific claims that provide security and risk context.
Events must be properly structured according to the RISC specification, with event types identified by their schema URIs (e.g., https://schemas.openid.net/secevent/risc/event-type/account-disabled
) and containing appropriate event-specific claims such as reason codes, credential types, or identifier information.
The RISC Events integration supports two verification methods that can be used individually or in combination:
Bearer Token Authentication: Event sources authenticate using SGNL-generated bearer tokens included in the Authorization header. This method provides authentication for event sources and is managed through the “Require Authentication” setting in SGNL.
JWT Signature Verification: Event sources sign RISC events using JSON Web Signature (JWS) with keys distributed through JWKS endpoints or well-known configuration endpoints. This method provides cryptographic verification of event authenticity and integrity and is managed through the “Require Signed Events” setting in SGNL.
Combined Verification: For maximum security, both authentication and signature verification can be required, ensuring that events include valid bearer tokens AND valid cryptographic signatures.
Unlike traditional SoR integrations that use authentication credentials to pull data, the RISC Events integration is configured as an event push system that receives events from external sources.
Delivery Method: The integration is pre-configured with deliveryMethod: "eventPush"
and pushType: "SSF"
, indicating that it receives Shared Signals Framework events through push delivery rather than polling for data.
Event Endpoint: SGNL will provide a specific endpoint URL where event sources should deliver RISC events. This endpoint is configured in the SoR settings and must be shared with all systems that will send RISC events to SGNL.
Configure how SGNL will verify incoming RISC events using the Event Transmitter Verification section:
Require Authentication: Enable this option to require that event sources authenticate to SGNL when delivering events.
Require Signed Events: Enable this option to require that events are cryptographically signed by the event source.
Combined Verification: You can enable both authentication and signature verification for maximum security. When both are enabled, events must include valid bearer tokens AND valid cryptographic signatures to be processed.
Configure which RISC event types should be processed and how they should be handled:
Supported Event Types: The integration includes pre-configured entities for standard RISC event types including Account Credential Change Required, Account Purged, Account Disabled, Account Enabled, Identifier Changed, Identifier Recycled, and Credential Compromise.
Event Entity Selection: Enable synchronization for the event types that are relevant to your security incident response and access control policies. Each event type captures different security and risk context and may be used for different response scenarios.
Custom Attribute Configuration: Use JSON Path expressions to extract additional attributes from event payloads beyond the standard pre-configured attributes. This allows you to process organization-specific event claims or custom security context.
Each RISC event type is represented as a separate entity within SGNL, with attributes that capture both standard JWT claims and event-specific security and risk context.
Standard Event Attributes: All RISC events include standard attributes such as event ID (jti), subject identifier (typically email), issuer, audience, issued at timestamp, and SGNL processing metadata including raw event payload and processing timestamp.
Event-Specific Context: Each event type includes attributes specific to the security or risk context it represents. For example, Account Disabled events include reason information, Identifier Changed events include the new identifier value, and Credential Compromise events include credential type and detailed reason descriptions.
Security Context Attributes: Events include security context such as event timestamps, administrative and user-facing reason descriptions, and credential-specific information that provides additional context for incident response and access control decisions.
Raw Event Preservation: The integration preserves the complete raw event payload and JWT token, enabling forensic analysis and custom processing of event data that may not be captured in the standard attribute mapping.
After configuring the SSF RISC Events integration, systematic testing ensures that events are being received, authenticated, and processed correctly.
Once events are being received successfully, you can monitor and validate event processing through multiple interfaces:
Event Stream Logs: Access comprehensive event processing logs through Logs → Event Streams in the SGNL console:
DataLens Analysis: Use DataLens to explore your RISC event data:
Note: Remember that events are retained for a maximum of 30 days and each subject can have up to 50 events, so DataLens queries will reflect this retention model.
Events Not Received: If SGNL is not receiving events, verify that event sources are configured with the correct SGNL endpoint URL and that network connectivity exists between event sources and SGNL. Check firewall rules, proxy configurations, and DNS resolution.
Authentication Failures: If events are being rejected due to authentication errors, verify that JWT signature verification is configured correctly with the appropriate JWKS endpoints or that bearer tokens are valid and properly included in event delivery.
Event Format Errors: If events are being rejected due to format issues, verify that event sources are generating properly formatted RISC events according to the OpenID specification. Check that event schema URIs match the expected RISC event type definitions.
Key Resolution Problems: If signature verification is failing, verify that JWKS endpoints are accessible from SGNL and that they contain the correct public keys. Check that key IDs in event signatures match keys available in the JWKS endpoint.
Signature Validation Errors: If signature validation is failing for correctly formatted events, verify that event sources are using the correct signing algorithms and that the private keys used for signing correspond to the public keys available in the JWKS endpoint.
Key Refresh Issues: If signature verification intermittently fails, check that SGNL is properly refreshing signing keys from JWKS endpoints and that key rotation is being handled correctly by both event sources and SGNL.
Missing Event Attributes: If expected event attributes are not being populated, verify that the event payloads contain the expected claims and that JSON Path expressions are correctly configured to extract the desired attributes.
Custom Attribute Configuration: If custom attributes configured using JSON Path are not being extracted, verify the JSON Path expressions against actual event payloads and ensure that the attribute paths correctly navigate the event structure.
Event Source Compatibility: Different security operations centers and identity providers may generate RISC events with variations in structure or claims. If events from specific sources are not processing correctly, review the event structure and consider custom attribute configuration to handle source-specific variations.
Time Synchronization: RISC events include timing information that may be critical for incident response decisions. Ensure that event sources and SGNL have synchronized clocks to avoid issues with event timing and response coordination.
Event Deduplication: Some event sources may send duplicate events. SGNL will disallow event duplication where duplicate JTIs are presented.
Once your SSF RISC Events integration is successfully configured and receiving events, you can leverage real-time security and risk events in dynamic SGNL policies that respond immediately to account security incidents and risk conditions.
Account Lifecycle-Based Access Control: Use Account Enabled and Account Disabled events to create policies that immediately respond to account status changes. When an account is disabled due to security concerns, policies can instantly revoke access across all connected systems, ensuring comprehensive access termination.
Credential Security Response: Leverage Credential Compromise and Account Credential Change Required events to create policies that respond to credential security incidents. Compromised credentials can trigger immediate access restrictions, forced re-authentication requirements, and elevated monitoring across all related systems.
Identity Management Coordination: Use Identifier Changed and Identifier Recycled events to create policies that coordinate identity updates across systems. When user identifiers change, policies can ensure that access permissions follow the user to their new identifier while preventing unauthorized access through old identifiers.
Risk-Based Access Restrictions: Leverage the comprehensive risk context in RISC events to create dynamic policies that adjust access based on real-time security intelligence. Users associated with security incidents can be subject to enhanced authentication requirements or restricted access until incidents are resolved.
Incident Response Automation: Use RISC events to automate incident response workflows that extend beyond individual systems. A security incident detected in one system can immediately trigger coordinated response actions across your entire technology ecosystem, creating unified security response capabilities.
Account Purging and Data Management: Leverage Account Purged events to create policies that coordinate data cleanup and access revocation across multiple systems when accounts are permanently removed. This ensures comprehensive data management and privacy compliance.
Cross-System Security Coordination: Use RISC events to coordinate security responses across multiple systems and security tools. A risk event in one system can immediately trigger policy adjustments and security measures in related systems, creating a unified security response across your entire technology ecosystem.
Audit and Compliance Integration: Leverage the comprehensive event data including raw payloads and processing timestamps to create audit trails that demonstrate real-time security incident response capabilities and compliance with security monitoring requirements.
For comprehensive guidance on creating policies with RISC event data, refer to the SGNL Policy Management documentation. For understanding how to use JSON Path expressions to extract custom attributes from event payloads, review the JSON Path guide.