Our setup:

OpenID based SaaS solution that uses Okta Identity Providers to allow client employees to log in with corporate credentials from an external IDP.

Our problem:

When connecting with an external OpenID Connect Identity Provider, there are occasionally errors with users being unable to authenticate that are difficult to troubleshoot because of a lack of visibility in the Okta System Log.

A typical authentication flow may look something like this:

1. Client Application calls Okta's /authorize endpoint
2. Okta calls external Identity Provider's /authorize endpoint
3. User enters credentials
4. Identity Provider returns user to Okta's /callback endpoint
5. Okta performs JIT User Profile operations
6. Okta returns user to Client Application's /callback endpoint

System Log only seems to begin recording data if step 5 is able to occur. Steps 1-4 do not appear in the System Log in any way that I can see. This becomes a problem for us when there is an error with user authentication in step 3. By running a network trace in the user's browser we can see the Identity Provider returning to Okta in step 4 with some important contextual information (ex: &error=access_denied&error_description=User+is+not+assigned+to+the+client+application), however this information is not captured by Okta logs.

It would be better for our technical team to be able to research these log entries directly rather than trying to explain to an end-user how to activate a browser network trace and export the log files for review.

Is it possible to view these types of messages in Okta somewhere, or if not, can it be added? The traffic is clearly flowing through Okta, so it is strange not to see any evidence of it in the logs.