Enable agentless Desktop Single Sign-on

  1. In the Admin Console, go to SecurityDelegated Authentication.
  2. Scroll to Agentless Desktop SSO.
  3. Click Edit and select a DSSO mode:
    • Off
    • Test: Allows you to test DSSO by signing in using the direct agentless DSSO endpoint URL: https://myorg.okta.com/login/agentlessDsso.
    • On: Allows you to enable SSO in production and lets users sign in from the default sign-in endpoint, routing through the agentless DSSO sign-in endpoint. The end user doesn't need to explicitly type in the DSSO URL.
  4. In AD Instances, select the Active Directory instance on which you configured the SPN.
  5. Complete these fields to configure agentless DSSO for the selected Active Directory domain:

    • Desktop SSO: Select Enabled or Disabled depending on whether you're enabling for production or testing.

    • Service account username: This is the Active Directory sign-in name without any domain suffix or Netbios name prefix. (See Create a service account and configure a Service Principal Name.) It can be the sAMAccountName or the username part of the UPN. These two may be the same string unless the org admin chose to use different values.

      This field is case-sensitive. When the UPN prefix differs from sAMAccountName, the service account username must be the same as the UPN and include the domain suffix. For example, agentlessDsso@mydomain.com.

      When the service account username and the Active Directory user account name don’t match, agentless DSSO can fail. If this happens, you're returned to the default sign-in page and a GSS_ERR error appears in the System Log. The service account username and the Active Directory user account are case sensitive and must match when AES encryption is enabled on the service account.

    • Service account password: Password for the account that you created in Active Directory.

    • Validate service account credential on save: Optional. Not case sensitive. Validates the service account credentials as an optional step in saving the Kerberos realm configuration. If it's checked, the Active Directory agent authenticates the service account. If the credentials can't be validated, an error message appears. If you don't want to validate or can't because the Active Directory agent isn't responsive, you can clear the box to skip the validation.
  6. For Allowed network zones, add the zones that are associated with the machines from which you're implementing agentless DSSO.

    When Identity Provider (IdP) Discovery is turned on, the network zone options aren't available. If IdP Discovery and agentless DSSO are both on, agentless DSSO network zones are controlled through the IdP routing rules. You update the default IdP routing rule in Update the default Desktop Single Sign-on Identity Provider routing rule .

  7. Click Save.

Next steps

Update the default Desktop Single Sign-on Identity Provider routing rule