TonyC.55034 (Customer) asked a question.
OKTA activity from securityContext.domain eq "googleusercontent.com"?
Hello there,
We are detecting some users authenticating to OKTA from securityContext.domain eq "googleusercontent.com". We do not have any services within Google Cloud neither the end user.
Have you noticed in your environment any user authenticating to OKTA from Google Cloud or any other Cloud while having two IP address in the logs? One a private IP address and another external one?
See below the partial logs.
- RequestIPChainGeographicalContext
- IP 10.56.68.232
- Source
- VersionV4
- IPChainGeographicalContextCityCouncil Bluffs
- Country United States
- GeolocationLat 41.2591
- Lon-95.8517
- PostalCode51502
- State Iowa
- IP 35.184.94.66
- Source
- VersionV4
Hello Tony,
Thank you for reaching out to Okta Support, my name is George.
The securityContext.domain eq "googleusercontent.com" event is usually associated with "Google Workspace". If you would like to have an engineer check out your environment and the system logs to help you debug them, please open a support ticket from your Admin portal and we can start an investigation.
On the other hand, if you see multiple IP addresses, it means Okta detected proxy IP addresses during the request.
If the incoming request to Okta passes through any proxies, the IP addresses of those proxies will be stored in the ipChain.
I hope you'll find this response helpful.
Best regards,