CAEP & Continuous Evaluation
Real-time access control that responds to security events using the Continuous Access Evaluation Protocol (CAEP).
What is CAEP?
Continuous Access Evaluation Protocol (CAEP) is an open standard developed by the OpenID Foundation for real-time communication of security events between identity providers, security tools, and relying applications.
Traditional authentication happens once at login. If a user's device is compromised or they're terminated 30 minutes later, their active sessions remain valid until the token expires. CAEP solves this by allowing security events to trigger immediate re-evaluation of access decisions.
TigerIdentity as a CAEP Receiver and Transmitter: TigerIdentity receives CAEP events from your security stack (IdP, SIEM, EDR) and uses them to automatically revoke sessions or trigger policy re-evaluation. It also transmits CAEP events to downstream applications when access decisions change.
CAEP Receiver
TigerIdentity subscribes to events from upstream systems:
- Okta, Azure AD, Auth0 (identity providers)
- CrowdStrike, Microsoft Defender (EDR)
- Splunk, Datadog (SIEM/monitoring)
CAEP Transmitter
TigerIdentity publishes events to downstream applications:
- Your SaaS apps and internal services
- API gateways and proxies
- Custom applications via webhook
Supported Event Types
TigerIdentity supports all standard CAEP event types defined in the specification:
session-revoked
The user's session has been terminated by an administrator or due to a security policy. All active sessions should be immediately revoked.
credential-change
The user's credentials (password, MFA device) have been changed. May indicate account takeover. Re-authentication should be required.
assurance-level-change
The user's authentication assurance level has changed (e.g., MFA removed, device compliance changed). Access to sensitive resources may need re-evaluation.
device-compliance-change
The user's device no longer meets compliance requirements (disk encryption disabled, outdated OS, malware detected). Device-conditional policies should be re-evaluated.
token-claims-change
Claims in the user's token have changed (group membership, attributes, roles). Access policies that depend on these claims should be re-evaluated.
risk-score-change
The user's or session's risk score has changed based on behavioral analysis, threat intelligence, or anomaly detection. High-risk sessions should be challenged or terminated.
Receiving Events
Configure TigerIdentity to receive CAEP events from your security stack via webhooks or by subscribing to event streams.
apiVersion: tigeridentity.com/v1
kind: CAEPReceiver
metadata:
name: okta-caep-events
spec:
# Event source configuration
source:
type: okta
webhook:
# TigerIdentity webhook endpoint
url: https://events.tigeridentity.com/caep/okta
# Webhook signature verification
signing_secret:
secretRef:
name: okta-webhook-secret
key: secret
# Which event types to subscribe to
event_types:
- session-revoked
- credential-change
- token-claims-change
- assurance-level-change
# Event filtering (optional)
filters:
- field: subject.email
operator: ends_with
value: "@company.com" # Only process events for our users
# Event routing rules
actions:
- event_type: session-revoked
action: revoke_all_sessions
target: subject.id
- event_type: credential-change
action: require_reauthentication
target: subject.id
scope: high_risk_resources
- event_type: token-claims-change
action: reevaluate_policies
target: subject.id
- event_type: assurance-level-change
action: conditional_revocation
conditions:
- when:
new_assurance_level: { lte: 2 }
then:
revoke_resources:
classification: [pii, financial]Setup Instructions
- Apply the CAEP receiver configuration to TigerIdentity
- Copy the webhook URL from the TigerIdentity dashboard
- Configure the webhook in your IdP/SIEM (Okta, Azure AD, etc.)
- Test the integration by triggering a test event
- Monitor the TigerIdentity events dashboard for incoming events
Evaluating Events
When TigerIdentity receives a CAEP event, it evaluates the event against your policies and session state to determine the appropriate response.
Event Ingestion
CAEP event received via webhook and validated (signature verification, schema validation). Event is enriched with additional context from the Identity Fabric.
Session Lookup
Find all active sessions for the subject (user, service account, etc.). Check if the event affects any of these sessions based on the event type and context.
Policy Re-evaluation
Re-run policy evaluation for affected sessions using updated context from the event (new risk score, changed attributes, device status, etc.).
Action Execution
Take appropriate action based on evaluation results: revoke sessions, require re-authentication, send notifications, or log for audit.
{
"iss": "https://company.okta.com",
"jti": "evt_abc123",
"iat": 1707134400,
"aud": "https://events.tigeridentity.com/caep/okta",
"events": {
"https://schemas.openid.net/secevent/caep/event-type/assurance-level-change": {
"subject": {
"format": "email",
"email": "[email protected]"
},
"current_level": "nist-aal2",
"previous_level": "nist-aal3",
"change_direction": "decrease",
"event_timestamp": 1707134380,
"reason_admin": "User removed MFA device",
"initiating_entity": "[email protected]"
}
}
}
# TigerIdentity's evaluation result:
{
"event_id": "evt_abc123",
"processed_at": "2026-02-05T10:40:00Z",
"subject": "user:[email protected]",
"event_type": "assurance-level-change",
"actions_taken": [
{
"action": "revoke_sessions",
"target_resources": [
"db:prod-customer-db",
"db:prod-financial-db"
],
"reason": "MFA removed - high-risk resources require AAL3",
"sessions_revoked": 2
},
{
"action": "notify",
"channels": ["email", "slack"],
"recipients": ["[email protected]", "security-team"]
}
],
"evaluation_time_ms": 45
}Acting on Events
Based on the event type and policy evaluation, TigerIdentity can take various automated actions:
Immediate Actions
- Revoke all sessions - Terminate all active sessions for the subject
- Revoke specific sessions - Only terminate sessions for certain resources
- Require re-authentication - Force user to log in again with MFA
- Block new access - Prevent new access grants until resolved
Conditional Actions
- Step-up authentication - Require additional MFA challenge
- Reduce permissions - Revoke write access, keep read-only
- Increase monitoring - Log all activity for manual review
- Send alerts - Notify security team for investigation
Publishing Events
TigerIdentity also acts as a CAEP transmitter, publishing events to downstream applications when access decisions change. This ensures that your applications can react to access revocations in real-time.
apiVersion: tigeridentity.com/v1
kind: CAEPTransmitter
metadata:
name: downstream-apps-caep
spec:
# Applications that will receive CAEP events
subscribers:
- name: internal-api-gateway
webhook_url: https://api-gateway.company.internal/caep
signing_secret:
secretRef:
name: api-gateway-caep-secret
key: secret
event_types:
- session-revoked
- token-claims-change
- name: data-warehouse
webhook_url: https://data-warehouse.company.internal/webhooks/caep
signing_secret:
secretRef:
name: dw-webhook-secret
key: secret
event_types:
- session-revoked
# Only send events for data warehouse resources
filters:
- field: resource.type
operator: equals
value: snowflake_warehouse
# Event publishing settings
delivery:
retry_attempts: 3
retry_backoff: exponential
timeout: 5s
# Send events in batches for high volume
batch_size: 10
batch_timeout: 1s{
"iss": "https://tigeridentity.company.com",
"jti": "evt_xyz789",
"iat": 1707134500,
"aud": "https://api-gateway.company.internal/caep",
"events": {
"https://schemas.openid.net/secevent/caep/event-type/session-revoked": {
"subject": {
"format": "email",
"email": "[email protected]"
},
"event_timestamp": 1707134480,
"reason_admin": "Automatic revocation due to assurance level decrease",
"initiating_entity": "system:tigeridentity",
"session": {
"id": "sess_abc123",
"resource": "db:prod-customer-db",
"granted_at": "2026-02-05T08:30:00Z",
"revoked_at": "2026-02-05T10:48:00Z"
}
}
}
}Integration with Policy Engine
CAEP events can trigger automatic policy re-evaluation. Write policies that specify how to respond to different event types:
# policy-with-caep-response.yaml
apiVersion: tigeridentity.com/v1
kind: Policy
metadata:
name: caep-based-access-control
spec:
subjects:
- type: user
resources:
- type: database
attributes:
classification: [pii, financial]
actions: ["*"]
# Normal conditions for access
conditions:
- require:
subject.mfa_verified: true
subject.device.managed: true
effect: allow
# CAEP event handlers
caep_handlers:
# Revoke immediately on these events
- event_types:
- session-revoked
- device-compliance-change
action: revoke_immediately
# Re-evaluate on these events
- event_types:
- assurance-level-change
- risk-score-change
action: reevaluate
# Only revoke if policy now fails
revoke_if_denied: true
# Step-up auth on these events
- event_types:
- credential-change
action: require_reauthentication
# Allow grace period
grace_period: 15mBest Practices
Subscribe to critical event types
At minimum, subscribe to session-revoked, credential-change, and device-compliance-change events. These have the highest security impact.
Use event filtering
Only process events relevant to your organization. Filter by domain, user attributes, or resource types to reduce noise.
Configure appropriate response actions
Not all events require immediate revocation. Use conditional actions and step-up authentication for medium-severity events.
Monitor webhook delivery
Set up alerts for failed webhook deliveries. Ensure your IdP can reach TigerIdentity's webhook endpoints.
Test your CAEP integration
Regularly test that events are flowing correctly by triggering test events (e.g., remove MFA from a test user) and verifying the response.
Enable Continuous Access Evaluation
Respond to security events in real-time with automated access revocation and policy re-evaluation.