<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
How to Use Multiple User Accounts with an Advanced Server Access or Okta Privileged Access Client
May 7, 2026
Advanced Server Access
Privileged Access
Okta Classic Engine
Okta Identity Engine
Overview

This article covers steps to enroll an Advanced Server Access (ASA) or Okta Privileged Access (OPA) client using an additional user account (for example, a standard and an admin account).  It assumes enrollment into a team with one account.

Applies To
  • Advanced Server Access (ASA)
  • Okta Privileged Access (OPA)
  • Okta Classic Engine
  • Okta Identity Engine (OIE)
Solution

The primary difficulty with enrolling a second account comes from being logged in already with the existing account.

  1. Log out of the ASA or OPA UI and the Okta org.
    • NOTE: If either session is still valid, ASA/OPA will automatically use that logged-in account rather than the second one to be enrolled.
  2. Enroll the client with the --force option:
    • ASA: sft enroll --team <team-name> --force
    • OPA: sft enroll --url https://<OrgSubDomain>.pam.okta.com --team <team-name> --force
      • The enroll command can be found in the OPA UI on the Directory > Clients page.
    • NOTE: If redirected to the ASA/OPA Client Setup page, the account is not fully logged out of the ASA/OPA team or Okta org.
  3. At the Okta sign-on page, authenticate using the second account that needs to be enrolled.
  4. At the ASA/OPA Client Setup page, click Approve.
    • NOTE: It may be necessary to customize the Client Name to indicate the username with which it is associated.
  5. On the CMD prompt, run sft list-teams, and the two different accounts should be displayed similarly to the following: 
    % sft list-teams
USERNAME        TEAM           URL                           ID                                      STATUS
asauser1        asa-team1    https://app.scaleft.com/v1    12ff4c94-b200-4690-a2c1-ab79e897605c   Expired 12h38m0s ago
asauser2        asa-team1    https://app.scaleft.com/v1    548b1ed2-add3-47fe-8c16-c7de07a9b8bc    (default) Never used
  6. To switch between accounts, run sft use <ID> where <ID> is the ID (uuid) of the desired username from the sft list-teams output.
    • NOTE: The username that has "(default)" as part of the STATUS is the account that ASA/OPA client is currently using.

Recommended content

Still looking for help?
Loading
How to Use Multiple User Accounts with an Advanced Server Access or Okta Privileged Access Client