Enable agentless Desktop Single Sign-on

  1. In the Admin Console, go to Security > Delegated Authentication.
  2. Scroll to Agentless Desktop SSO.
  3. Click Edit and select a DSSO mode:
    • Off
    • Test — allows you to test DSSO by signing in using the direct agentless DSSO endpoint URL: https://<myorg>.okta.com/login/agentlessDsso.
    • On — For enabling SSO in Production. Allows end users to sign in from the default sign in endpoint, routing through the agentless DSSO sign in endpoint. The end user doesn't need to explicitly type in the DSSO URL
  4. For Allowed network zones, add the zones that are associated with the machines from which you will be implementing agentless DSSO.

    Note: If IdP Discovery is turned on, the network zone options will not be available. When IdP Discovery and agentless DSSO are both on, agentless DSSO network zones are controlled through the IdP Routing Rules. You will update the default IdP routing rule in Enable agentless Desktop Single Sign-on.

  5. In AD Instances, select the Active Directory instance on which you configured the SPN.
  6. Complete these fields to configure agentless DSSO for the selected Active Directory domain:
    • Desktop SSO — Select Enabled or Disabled depending on whether you are enabling for production or testing.

    • Service account username — This is the AD sign-on name that you created in Enable agentless Desktop Single Sign-on, without any domain suffix or Netbios name prefix. It can be the sAMAccountName or the username part of the UPN. These two may be the same string unless the Org admin chose to use different values.

      This field is case sensitive. When the UPN prefix differs from sAMAccountName, the service account username needs to be the same as the UPN and include the domain suffix. For example, agentlessDsso@mydomain.com.

      When the service account user name and the AD user account name don’t match, Agentless DSSO can fail. When this happens, you are returned to the default sign on page and a GSS_ERR error appears in the SysLog. The service account user name and the AD user account are case sensitive and must match.

    • Service account password — Password for the account that you created in AD.

    • Validate service account credential on save — Optional. Validates the service account credentials as an optional step in saving the Kerberos realm configuration. If it's checked, the service account will be authenticated by the AD agent. If the credentials cannot be validated, an error message appears. If you don't want to validate or can't because the AD agent isn't responsive, the box can be unchecked to skip the validation.
  7. Click Save..

Next steps

Update the default Desktop Single Sign-on Identity Provider routing rule