Agentless Desktop Single Sign-On (ADSSO) fails when a user exceeds the re-authentication timer configured in the Authentication Policies, requiring the user to establish a new global session to receive a new ADSSO token. When the timer expires, Okta redirects the user to the default sign-in page instead of using ADSSO, because the re-authentication flow uses a different method than the initial Okta sign-on. View the configured re-authentication timer in the Okta Admin Console by navigating to Security > Authentication Policies > Rules, then locating the Re-Authentication Frequency section.
 

• Okta Identity Engine (OIE)
• Agentless DSSO (ADSSO)
• Authentication Policies

When a user exceeds the re-authentication frequency timer for any Authentication Policy rule, Okta redirects the previously authenticated user to the sign-in page. Because the re-authentication flow uses a different method from the initial Okta sign-on, ADSSO cannot be used. Re-authentication via ADSSO fails, and Okta automatically redirects the user to the default login page.

How is the Agentless DSSO re-authentication failure resolved?

Generate a new ADSSO token and establish a new global session by executing one of the required actions.

• Sign out of Okta and sign back in.
• Clear the browser cache and cookies.

Related References

• Add an authentication policy rule