This article covers steps to enroll an Advanced Server Access (ASA) or Okta Privileged Access (OPA) client using an additional user account (for example, a standard and an admin account).  It assumes enrollment into a team with one account.

• Advanced Server Access (ASA)
• Okta Privileged Access (OPA)

The primary difficulty with enrolling a second account comes from being logged in already with the existing account.

1. Log out of the ASA or OPA UI and the Okta org.
   • NOTE: If either session is still valid, ASA/OPA will automatically use that logged-in account rather than the second one to be enrolled.
2. Run sft enroll --team <team-name> --force to enroll with the second account.
   • Note:  If redirected to the ASA/OPA Client Setup page, the account is not fully logged out of the ASA/OPA team or Okta org.
3. At the Okta sign-on page, authenticate using the second account that needs to be enrolled.
4. At the ASA/OPA "Client Setup" page, click Approve.
   • NOTE: It may be necessary to customize the Client Name to indicate the username with which it is associated.
5. On the CMD prompt, run sft list-teams, and the two different accounts should be displayed similar to the following:

   % sft list-teams
   USERNAME        TEAM           URL                           ID                                      STATUS
   asauser1        asa-team1    https://app.scaleft.com/v1    12ff4c94-b200-4690-a2c1-ab79e897605c   Expired 12h38m0s ago
   asauser2        asa-team1    https://app.scaleft.com/v1    548b1ed2-add3-47fe-8c16-c7de07a9b8bc    (default) Never used

6. To switch between accounts, run "sft use <ID>" where <ID> is the ID (uuid) of the desired username from the "sft list-teams" output.
   • NOTE: The username that has "(default)" as part of the STATUS is the account that ASA/OPA client is currently using.