Enable agentless Desktop Single Sign-on

  1. In the Admin Console, go to SecurityDelegated Authentication.
  2. Scroll to Agentless Desktop SSO.
  3. Click Edit and select a DSSO mode:
    • Off
    • Test — allows you to test DSSO by signing in using the direct agentless DSSO endpoint URL: https://<myorg>.okta.com/login/agentlessDsso.
    • On — allows you to enable SSO in Production and lets users to sign in from the default sign in endpoint, routing through the agentless DSSO sign in endpoint. The end user doesn't need to explicitly type in the DSSO URL.
  4. For Allowed network zones, add the zones that are associated with the machines from which you will be implementing agentless DSSO.

    Note: When Identity Provider (IdP) Discovery is turned on, the network zone options will not be available. When IdP Discovery and agentless DSSO are both on, agentless DSSO network zones are controlled through the IdP Routing Rules. You will update the default IdP routing rule in Update the default Desktop Single Sign-on Identity Provider routing rule .

  5. In AD Instances, select the Active Directory instance on which you configured the Service Principal Name (SPN).
  6. Complete these fields to configure agentless DSSO for the selected Active Directory domain:
    • Desktop SSO — Select Enabled or Disabled depending on whether you are enabling for production or testing.

    • Service account username — This is the AD sign-on name that you created in Create a service account and configure a Service Principal Name, without any domain suffix or Netbios name prefix. It can be the sAMAccountName or the username part of the UPN. These two may be the same string unless the Org admin chose to use different values.

      This field is case sensitive. When the UPN prefix differs from sAMAccountName, the service account username needs to be the same as the UPN and include the domain suffix. For example, agentlessDsso@mydomain.com.

      When the service account user name and the AD user account name don’t match, Agentless DSSO can fail. When this happens, you are returned to the default sign on page and a GSS_ERR error appears in the SysLog. The service account user name and the AD user account are case sensitive and must match when AES encryption is enabled on the service account.

    • Service account password — Password for the account that you created in AD.

    • Validate service account credential on save — Optional. Not case sensitive. Validates the service account credentials as an optional step in saving the Kerberos realm configuration. If it's checked, the service account will be authenticated by the AD agent. If the credentials cannot be validated, an error message appears. If you don't want to validate or can't because the AD agent isn't responsive, the box can be cleared to skip the validation.
  7. Click Save.

Next steps

Update the default Desktop Single Sign-on Identity Provider routing rule