System Log events for Device-Bound SSO

Early Access release. See Enable self-service features.

Okta records System Log events to help you track the lifecycle and usage of device sessions in your org. You can use these events to audit when device sessions are established, used to access apps, or terminated.

Events for device sessions

The following events record the creation and termination of the device session:

Event type	Description
user.device_session.start	This event is recorded when a user successfully authenticates on a managed device and Okta creates a device session.
user.device_session.end	This event is recorded when one or more of the following actions ends the device session: The user signs out of the device and signs in again, establishing a new device session. This event isn't recorded if the user simply signs out of the device. The device is suspended or deactivated. An admin clears a user's Okta sessions. This event isn't recorded when any of the following actions take place: The user signs out of the device. The user is suspended or deactivated. The user's authenticators are reset. Okta sends a Device Logout command.
user.session.clear	This event is recorded when all user sessions are cleared, either by an admin or through a system-initiated actor such as Identity Threat Protection.

Event type

Description

user.device_session.start

This event is recorded when a user successfully authenticates on a managed device and Okta creates a device session.

user.device_session.end

This event is recorded when one or more of the following actions ends the device session:

The user signs out of the device and signs in again, establishing a new device session. This event isn't recorded if the user simply signs out of the device.
The device is suspended or deactivated.
An admin clears a user's Okta sessions.

This event isn't recorded when any of the following actions take place:

The user signs out of the device.
The user is suspended or deactivated.
The user's authenticators are reset.
Okta sends a Device Logout command.

user.session.clear

This event is recorded when all user sessions are cleared, either by an admin or through a system-initiated actor such as Identity Threat Protection.

Track session activity

To help you correlate authentication activity with a specific device session, Okta adds a deviceSessionId field to the authenticationContext object in the System Log:

Event type	Description
authenticationContext.deviceSessionId	A unique identifier for the device session. This field is populated for all authentication events, where the device session is used to satisfy the authentication requirements, such as user.authentication.verify or policy.evaluate_sign_on. If a device session isn't used when creating the authenticationContext, then this attribute doesn't appear in the System Log.

Event type

Description

authenticationContext.deviceSessionId

A unique identifier for the device session.

This field is populated for all authentication events, where the device session is used to satisfy the authentication requirements, such as user.authentication.verify or policy.evaluate_sign_on.

If a device session isn't used when creating the authenticationContext, then this attribute doesn't appear in the System Log.

To view all activity associated with a specific device session, you can search the System Log using the session ID, for example:

Copy

authenticationContext.deviceSessionId eq "your_device_session_id"

This query returns the initial session start, all subsequent app access events, and the session end event. This provides a complete audit trail for that session.

System Log events for Device-Bound SSO

Events for device sessions

Track session activity

Related topics