<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content

Okta System Log Does Not Show Users Redirected to Credentials or IWA During Agentless DSSO

Okta Classic Engine
Directories
Okta Identity Engine

Overview

During the Agentless Desktop Single Sign-on (ADSSO) workflow, Okta redirects users to the default login page before user identification occurs if authentication fails. Because Okta cannot capture the user identity during this early failure, the System Log does not display the user names or IDs for these redirection events. Capturing a client-side network trace helps correlate machine activity with authentication attempts to identify the root cause.

Applies To

  • Okta Identity Engine (OIE)
  • Okta Classic Engine
  • Agentless Desktop Single Sign-on (ADSSO)

Cause

Okta redirects users to the default login page before user identification takes place when authentication fails during the Agentless DSSO workflow. Configuration issues or missing credentials often cause this early failure. Because Okta cannot identify the user at this stage, the System Log omits user names or IDs for these redirection events.

Solution

How to identify and investigate Agentless DSSO redirection events?

Search the System Log for events where the Agentless DSSO flow redirects to the default login page by using the following query.

eventType eq "system.iwa_agentless.redirect"

 

Review the following example of a System Log capture displaying the redirection event without user identification.

Syslog Capture

 

Because the System Log lacks user identification for these events, capture a network trace on the client side with a tool such as Fiddler to correlate machine activity with authentication attempts when investigating ADSSO redirection.

 

Related References

Loading
Okta Support - Okta System Log Does Not Show Users Redirected to Credentials or IWA During Agentless DSSO