Configure Windows browsers for SSO

Although IWA SSO may work if you choose not to configure your browser, Okta recommends that you review the relevant information for your browser type and then configure your browser as described if appropriate for your environment.

The Microsoft Edge browser is not supported.

  1. Add your Okta tenant URL and the URL of the server that hosts your Desktop SSO IWA Web agent to your trusted zone:

    The URL is the fully qualified domain name of the server in question. For example, It is not sufficient for this URL to be listed as a Trusted Site in the Trusted Sites zone.

    Most organizations set up a Group Policy to configure this setting in their users' Internet options.

    1. On your Windows Control Panel, select Network and InternetInternet OptionsSecurityLocal intranetSitesAdvanced.
    2. In the Add this website to the zone field, enter: or and or or or as appropriate.

    3. Click Add.
    4. Click OK twice to close Internet Options.
  2. Configure your browser:

    Windows Internet Explorer

    1. In Internet Explorer select ToolsInternet Options.
    2. Click the Advanced tab, scroll down to the Security settings, and select Enable Integrated WindowsAuthentication.
    3. Click OK.

    Make sure that Internet Explorer can save session cookies (Internet OptionsPrivacy tab). If it cannot, neither SSO nor standard sign in can work.

    Mozilla Firefox

    The following configuration permits Firefox to properly pass the Kerberos ticket with IWA, but Firefox still warns the user about the transition from an HTTPS page to an HTTP page. To resolve this issue, deploy IWA in HTTPS mode.

    1. In the Firefox address bar enter: about:config

      In Firefox version 3.x and later, a warning message displays. Click the button to clear the message and proceed.

    2. When the configuration page loads, enter the following in the Search field: network.negotiate-auth.trusted-uris
    3. In this field list the host name of the IWA server(s), separating multiple values with a comma ',' if two or more IWA instances are deployed.

      Okta recommends that you enter the fully qualified domain name (FQDN) of your IWA host servers. If you do not, you will also need to toggle the following values to TRUE:

      If you enter more than one host name, the order doesn't matter.

    4. Right click the Value column for each of the above and toggle the value to True.
    5. Click OK.

    Google Chrome

    IWA is automatically enabled on Chrome for Windows and the capability is allowlist-driven. If your browser is asked by a site to provide the Kerberos ticket, the browser only supplies the ticket to the site if the site is on a allowlist.

    The allowlist is provided to the browser at startup using this command-line parameter:


    For example:


    This tells Chrome that any URL ending in hostname.companyname.comis in the permitted list. Without the '*' prefix, the URL has to match exactly.

    The value refers to the server hosting the OktaIWA Web agent.

    If the '--auth-server-allowlist' command-line parameter is not specified at startup, the permitted list includes the servers in the Local Machine or Local Intranet security zone. This behavior is consistent with Internet Explorer.

    To start Chrome on Windows and supply this command-line parameter:

    1. Right click your desktop Chrome icon or select StartAll ProgramsGoogle Chrome and right click Google Chrome, and then select Properties.
    2. In the Target field, move the cursor to the end of the existing value and add the text of your new command-line parameter.
    3. Click OK.

Next steps

Activate the Okta IWA Web agent