Configure Mac browsers for SSO

Although IWA SSO may work if you choose not to configure your browser, Okta recommends that you review the relevant information for your browser type and then configure your browser.

macOS Safari

IWA is enabled automatically in Safari on macOS. Make sure that the macOS host is a Windows domain member. For more information on how to add your macOS host to a Windows domain, refer to Apple Support documentation and search for articles on how to join your Mac to a network account server.

Mozilla Firefox

The following configuration permits Firefox to properly pass the Kerberos ticket with IWA, but Firefox still warns the user about the transition from an HTTPS page to an HTTP page. To resolve this issue, deploy IWA in HTTPS mode.

  1. In the Firefox address bar, enter about:config

    Firefox3.x and later displays a warning message requesting that you proceed with caution.

  2. After the configuration page loads, enter the following in the Search field:

    network.negotiate-auth.trusted-uris

  3. In this field list the host name of the IWA server(s), separating multiple values with a comma ',' if two or more IWA instances are deployed.

    The order does not matter if you enter more than one host name.

    Okta recommends that you enter the fully qualified domain name (FQDN) of your IWA host servers. If you do not, you will also need to toggle the following values to TRUE:

    network.automatic-ntlm-auth.allow-non-fqdn
    network.negotiate-auth.allow-non-fqdn
  4. Right click the Value column for each of the above and toggle the value to True.
  5. Click OK.

Google Chrome

IWA capability is enabled automatically in Chrome on OS/X, and just like on Windows, the capability is governed by an allowlist. If a site asks your browser to provide the Kerberos ticket, the browser only provides the ticket if the site is on the allowlist.

  1. Launch the Terminal application.
  2. Create a Kerberos ticket for the account: kinit user.name@example.com

    Replace user.name@example.com with your username and domain and then enter your password when prompted.

  3. Configure the Chrome allowlist:

    $ defaults write com.google.Chrome AuthServerAllowlist "*.example.com"

    $ defaults write com.google.Chrome AuthNegotiateDelegateAllowlist "*.example.com"

    Replace example.com with your domain.

For information on how to manage Chrome policies on macOS, refer to Google Support documentation and search for articles on AuthNegotiateDelegateAllowlist and AuthServerAllowlist.

Next steps

Activate the Okta IWA Web agent