This article explains why Okta's system logs do not show the users who were redirected to IWA/credentials during Agentless Desktop Single Sign-on (DSSO) flow.
- Agentless Desktop Single Sign-on (AgentlessDSSO)
It is not possible to identify users who are unable to sign in with AgentlessDSSO because they are redirected to the default login page before user identification takes place.
During the AgentlessDSSO workflow, if authentication fails at a stage before the user can be identified (for example, due to configuration issues or missing credentials), Okta cannot capture or log the user’s identity for that event. As a result, system logs for these redirection events do not contain user names or IDs.
To find out events where the ADSSO flow was redirected to credentials (default login page), this query can be used in Okta’s system logs:
eventType eq "system.iwa_agentless.redirect"
Since Okta cannot capture the root cause of the issue, it is recommended to investigate further by capturing a network trace (such as with Fiddler) on the client side to correlate machine activity with authentication attempts, since this information is not available within the Okta System Logs.
Related References
- Agentless DSSO is not working on Chrome
- What are the known limitations of Active Directory Desktop Single Sign-on?
- 400 Error when attempting to authenticate via ADSSO
- What "Kerberos validation failed with result=GSS_ERROR" in the system logs means
- In DSSO - How do we modify SPN for Service Account
- Agentless DSSO not working after setting AES Encryption on Service Account
