Migrate from Integrated Windows Authentication to agentless Desktop Single Sign-on

To simplify user access management, Okta encourages you to move from Integrated Windows Authentication (IWA) to agentless Desktop Single Sign-on (ADSSO). Okta is no longer adding new IWA functionality and offers only limited support and bug fixes.

1. Configure agentless Desktop Single Sign-on.
2. Set IWA as a failover option for ADSSO. See Configure failover for the Okta IWA Web agent.
3. Test your ADSSO configuration. See Test the agentless Desktop Single Sign-on configuration.

4. Delete routing rules.

   1. In the Admin Console, go to SecurityIdentity ProvidersRouting Rules.

   2. Identify and delete all rules using an identity provider of OnPremDSSO.

   If you use Device Trust on desktop devices, do not complete the next steps until the device trust configuration has been removed prior to or after upgrade.

5. Make ADSSO active:
   1. In the Admin Console, go to SecurityDelegated Authentication.
   2. Scroll to Agentless Desktop SSO and Silent Activation.
   3. Click Edit and select On.
   4. Scroll down and click Save.
6. Disable the Okta IWA agent:
   1. In the Admin Console, go to Security Delegated Authentication.
   2. Scroll to On-Prem Desktop SSO.
   3. Click Edit and select Off.
   4. Scroll down and click Save.
7. Optional. Delete the Okta IWA agent:
   1. In the Admin Console, go to SecurityDelegated Authentication.
   2. Scroll to On-Prem Desktop SSO.
   3. Click Edit and scroll to the IWA Agents section.
   4. Click Delete and Delete Agent in the Delete IWA Agent dialog.
   5. Optional. Repeat step d to delete additional Okta IWA agents.