Configure Windows browsers for SSO
Although IWA SSO may work if you choose not to configure your browser, Okta recommends that you review the relevant information for your browser type and then configure your browser as described if appropriate for your environment.
The Microsoft Edge browser is not supported.
- Add your Okta tenant URL and the URL of the server that hosts your Desktop SSO IWA Web agent to your trusted zone:
The URL hostname.companyname.com is the fully qualified domain name of the server in question. For example, my-iis7-host.corp.acme.com. It is not sufficient for this URL to be listed as a Trusted Site in the Trusted Sites zone.
Most organizations set up a Group Policy to configure this setting in their users' Internet options.
- On your Windows Control Panel, select .
- In the Add this website to the zone field, enter:
https://hostname.companyname.com or http://hostname.companyname.com and https://_subdomain_.okta.com or https://_subdomain_.okta-emea.com or https://_subdomain_.oktapreview.com or https://_subdomain_.okta-gov.com as appropriate.
- Click Add.
- Click OK twice to close Internet Options.
- Configure your browser:
- In Internet Explorer select .
- Click the Advanced tab, scroll down to the Security settings, and select Enable Integrated WindowsAuthentication.
- Click OK.
Make sure that Internet Explorer can save session cookies ( tab). If it cannot, neither SSO nor standard sign in can work.
The following configuration permits Firefox to properly pass the Kerberos ticket with IWA, but Firefox still warns the user about the transition from an HTTPS page to an HTTP page. To resolve this issue, deploy IWA in HTTPS mode.
- In the Firefox address bar enter: about:config
In Firefox version 3.x and later, a warning message displays. Click the button to clear the message and proceed.
- When the configuration page loads, enter the following in the Search field: network.negotiate-auth.trusted-uris
- In this field list the host name of the IWA server(s), separating multiple values with a comma ',' if two or more IWA instances are deployed.
Okta recommends that you enter the fully qualified domain name (FQDN) of your IWA host servers. If you do not, you will also need to toggle the following values to TRUE:
If you enter more than one host name, the order doesn't matter.
network.automatic-ntlm-auth.allow-non-fqdnnetwork.negotiate-auth.allow-non-fqdn - Right click the Value column for each of the above and toggle the value to True.
- Click OK.
IWA is automatically enabled on Chrome for Windows and the capability is allowlist-driven. If your browser is asked by a site to provide the Kerberos ticket, the browser only supplies the ticket to the site if the site is on a allowlist.
The allowlist is provided to the browser at startup using this command-line parameter:
--auth-server-allowlist=For example:
--auth-server-allowlist="*hostname.companyname.com"This tells Chrome that any URL ending in hostname.companyname.comis in the permitted list. Without the '*' prefix, the URL has to match exactly.
The hostname.companyname.com value refers to the server hosting the OktaIWA Web agent.
If the '--auth-server-allowlist' command-line parameter is not specified at startup, the permitted list includes the servers in the Local Machine or Local Intranet security zone. This behavior is consistent with Internet Explorer.
To start Chrome on Windows and supply this command-line parameter:
- Right click your desktop Chrome icon or select and right click Google Chrome, and then select Properties.
- In the Target field, move the cursor to the end of the existing value and add the text of your new command-line parameter.
- Click OK.