Post Access Gateway flow

Requests can be initiated to a service provider directly or using an Okta tenant.
Access Gateway flows go through a number of steps for each request after a flow is initiated. The following diagram and state transition description describe this flow.

State Description Error Success
Initial Starting state, where request has yet to be made.
Domain served DNS entry points to Access Gatewaybut Domain not served by Access Gateway. Unknown host Status code:400 The requested host:'domain.tld' is not being served by this Access Gateway. Continue
Session does not exists Session does not exist, perform defined application login behavior. Failed authentication, Okta supplied page. Continue
Validate session integrity Validate session according to session integrity behavior.

Error, as defined in behavior. Or one of:

  • App is offline - App is disabled (503)

    App is in maintenance - App is in maint mode (503)

Create session Access Gateway session is created. Attributes populated and stored into session cache. N/A Continue
Evaluate deep linking Advanced > Deep linking (Disabled). N/A Route to the specified post login url.

Advanced > Deep linking (Enabled).


Route to the provided URL Normally http://domain.tld/somepath.

Evaluate policy

Evaluate policy for selected URI

403 (Access denied via policy)

403 (Access denied via policy)

Forward request

Rewrite request and forward to protected resource

Application dependent.

Related topics

Reference architectures

DNS use

High availability

About Access Gateway prerequisites