Configure browsers for agentless Desktop Single Sign-on on Windows

Agentless DSSO is supported on Windows using Chrome, Chromium versions of Microsoft Edge, Internet Explorer, and Firefox. Previous versions of Microsoft Edge (Legacy) are not supported.

There are three main steps involved in configuring browsers on Windows:

  • Enabling IWA on the browsers.
  • Adding Okta to the local intranet in Internet Explorer (IE). The Okta URLs must include https://<myorg>.kerberos.okta.com.
  • Creating a GPO to apply these setting across all our client machines.

Internet Explorer

Although this procedure is specific to Internet Explorer, you can use a similar process to configure Chrome and Chromium Edge on Windows.

  1. Enable IWA on the browsers:
    1. In Internet Explorer select Tools > Internet Options.
    2. Click the Advanced tab, scroll down to the Security settings, and select Enable Integrated Windows Authentication.
    3. Click OK.

    Note: Make sure that Internet Explorer can save session cookies (Internet Options > Privacy tab). If it cannot, neither SSO nor standard sign in can work.

  2. Configure the Local Intranet Zone to trust Okta:
    1. In IE, open Options > Security.
    2. Click Local Intranet > Sites > Advanced and add the URL for your Okta org as configured in earlier steps. For example: https://<myorg>.kerberos.okta.com.
    3. Click Close and OK on the other configuration options.
  3. Create a GPO to roll this out to all client machines that will use agentless DSSO.

Firefox

  1. Open the Firefox web browser, enter about:config in the Address bar, and press Enter.
  2. If the Proceed with Caution message appears, click Accept the Risk and Continue.
  3. In the Search preference name field, enter network.negotiate-auth.trusted-uris.
  4. Click Edit, enter <org>.kerberos.okta.com, and click Save.

Next steps

Enable agentless Desktop Single Sign-on