Migrate from Integrated Windows Authentication to agentless Desktop Single Sign-on

To simplify user access management, Okta encourages you to move from Integrated Windows Authentication (IWA) to agentless Desktop Single Sign-on (ADSSO). Okta is no longer adding new IWA functionality and offers only limited support and bug fixes.

  1. Configure agentless Desktop Single Sign-on.
  2. Set IWA as a failover option for ADSSO. See Configure failover for the Okta IWA Web agent.
  3. Test your ADSSO configuration. See Test the agentless Desktop Single Sign-on configuration.
  4. Delete routing rules.

    1. In the Admin Console, go to Security > Identity Providers > Routing Rules.

    2. Identify and delete all rules using an identity provider of OnPremDSSO.

    Note: Customers using desktop device trust should not complete steps 6 and 7 until the device trust configuration has been removed prior to or after upgrade.

  5. Make ADSSO active:
    1. In the Admin Console, go to Security > Delegated Authentication.
    2. Scroll to Agentless Desktop SSO and Silent Activation.
    3. Click Edit and select On.
    4. Scroll down and click Save.
  6. Disable the Okta IWA agent:
    1. In the Admin Console, go to Security > Delegated Authentication.
    2. Scroll to On-Prem Desktop SSO.
    3. Click Edit and select Off.
    4. Scroll down and click Save.
  7. Optional. Delete the Okta IWA agent:
    1. In the Admin Console, go to Security > Delegated Authentication.
    2. Scroll to On-Prem Desktop SSO.
    3. Click Edit and scroll to the IWA Agents section.
    4. Click Delete and Delete Agent in the Delete IWA Agent dialog.
    5. Optional. Repeat step d to delete additional Okta IWA agents.