Make Zero Trust Real with SSF: Tines, Kolide, Okta

Make Zero Trust Real with SSF: Tines, Kolide, Okta
December 9, 2025 at 12:00 AM

Zero Trust promises a smaller attack surface and faster threat response, but many teams struggle to implement it because security tools don’t reliably share signals. According to Accenture, 88% of organizations report significant challenges. When products can’t communicate, continuous access decisions break down.

Enter the Shared Signals Framework (SSF). SSF standardizes how security events are exchanged (including CAEP), but adoption is uneven—Kolide Device Trust, for example, doesn’t currently support SSF. To bridge that gap, Scott Bean, Senior IAM and Security Engineer at MongoDB, built a Tines-powered workflow that operationalizes SSF across your environment.

Solution at a glance

  • Kolide flags a non-compliant device and sends a webhook to Tines
  • Tines enriches the signal, maps it to a user, and builds a Security Event Token (SET)
  • Tines signs the SET and delivers it to Okta as a CAEP device_compliance_change event
  • Okta updates risk and enforces Zero Trust policies in real time

Why this matters

  • Real-time enforcement: Immediate device posture updates drive accurate access decisions
  • Interoperability: SSF signals flow even when tools don’t natively support SSF
  • Less overhead: Tines hosts SSF metadata endpoints and manages token signing
  • Better UX: Automated remediation reduces IT intervention and keeps users productive

What you need
Tools

  • Tines (workflow orchestration and AI)
  • Kolide (device trust and posture)
  • Okta (identity platform and SSF receiver)

Credentials

  • Tines API key (Team-scoped, Editor role)
  • Kolide API key (Read-only)
  • Kolide Webhook Signing Secret

Resources

  • An Okta domain such as example.okta.com, example.oktapreview.com, or a branded domain

How the workflow operates

  1. Generate and store SET signing keys
  • Create an RSA key pair, convert to JWK, and store the private key as a Tines secret
  • Publish the public JWK so receivers can verify SET signatures
  1. Expose an SSF transmitter API in Tines
  • Provide a .well-known/sse-configuration endpoint describing transmitter capabilities
  • Expose a JWKS endpoint with public keys for signature verification
  • Use a webhook as the SSF API surface with logic to return .well-known and JWKs
  • Register the transmitter in Okta under Security → Device Integrations → Receive shared signals, then create a stream using the API URL and .well-known endpoint
  1. Create, sign, and send SETs from Kolide events
  • Receive Kolide issue opened/resolved events via webhook and validate with the signing secret
  • Fetch device and user metadata from Kolide to enrich the signal
  • Build a CAEP device_compliance_change SET, sign it with your private key, and send it to Okta’s security-events endpoint

Step-by-step setup (quick start)

  1. Log into Tines (Community Edition works) or create an account
  2. Import the pre-built workflow from the Tines library
  3. Add required credentials: Tines API key, Kolide API key, Kolide Webhook Signing Secret
  4. Confirm your Okta tenant domain (e.g., example.okta.com or your branded domain)
  5. Generate JWK keyset in Tines; store the private key as a secret and publish the public JWK
  6. Publish the SSF transmitter API with .well-known and JWKS endpoints
  7. Connect Kolide webhooks, enrich device/user context, build and sign SETs, and send them to Okta

Implementation notes

  • SSF rides on HTTPS, so Tines HTTP actions fit naturally
  • This pattern uses a push provider model; tokens are sent on inbound webhooks, so there’s no need to store state
  • Once Okta receives and verifies the SET, associated user/device risk updates immediately

The bottom line
SSF lets your security stack “speak the same language,” but gaps appear when tools lack native support. Tines closes those gaps by receiving, enriching, signing, and delivering SSF-compliant CAEP events in real time—so you can enforce Zero Trust consistently across your environment. You can spin up this workflow in minutes with a free Tines account, and explore additional IAM patterns for unifying device trust, access decisions, and least-privilege enforcement.

Source: The Hacker News

Back…