Configure browsers for agentless Desktop Single Sign-on on Windows

Agentless DSSO is supported on Windows using Chrome, Chromium versions of Microsoft Edge, and Internet Explorer. Firefox and previous versions of Microsoft Edge are not supported.

There are three main steps involved in configuring the browsers on Windows:

  • Enabling IWA on the browsers.
  • Adding Okta to the local intranet in Internet Explorer (IE). The Okta URLs must include https://<myorg>.kerberos.okta.com.
  • Creating a GPO to apply these setting across all our client machines.
  1. Enable IWA on the browsers:
    1. In Internet Explorer select Tools > Internet Options.
    2. Click the Advanced tab, scroll down to the Security settings, and select Enable Integrated Windows Authentication.
    3. Click OK.

    Note: Make sure that Internet Explorer can save session cookies (Internet Options > Privacy tab). If it cannot, neither SSO nor standard sign in can work.

  2. Configure the Local Intranet Zone to trust Okta:
    1. In IE, open Options > Security.
    2. Click Local Intranet > Sites > Advanced and add the URL for your Okta org as configured in earlier steps. For example: https://<myorg>.kerberos.okta.com.
    3. Click Close and OK on the other configuration options.
  3. Create a GPO to roll this out to all client machines that will use agentless DSSO.

Next steps

Enable agentless Desktop Single Sign-on