Configure Mac browsers for SSO

Although IWA SSO may work if you choose not to configure your browser, Okta recommends that you review the relevant information for your browser type and then configure your browser.

OS/X Safari

IWA is enabled automatically in Safari on OS/X. Make sure that the OS/X host is a Windows domain member. For how to add your Macintosh OS/X host to a Windows domain, see the article OS X Mountain Lion: Join your Mac to a network account server.

Mozilla Firefox

The following configuration permits Firefox to properly pass the Kerberos ticket with IWA, but Firefox still warns the user about the transition from an HTTPS page to an HTTP page. To resolve this issue, deploy IWA in HTTPS mode.

  1. In the Firefox address bar, enter about:config

    Note: Firefox3.x and later displays a warning message requesting that you proceed with caution.

  2. After the configuration page loads, enter the following in the Search field: 

    network.negotiate-auth.trusted-uris

  3. In this field list the host name of the IWA server(s), separating multiple values with a comma  ','  if two or more IWA instances are deployed.

    Note: The order does not matter if you enter more than one host name.

    We recommend that you enter the fully qualified domain name (FQDN) of your IWA host servers. If you do not, you will also need to toggle the following values to TRUE:

    network.automatic-ntlm-auth.allow-non-fqdn
    network.negotiate-auth.allow-non-fqdn
  4. Right click the Value column for each of the above and toggle the value to True.
  5. Click OK.

Google Chrome

IWA capability is enabled automatically in Chrome on OS/X, and just like on Windows, the capability is governed by a whitelist. If a site asks your browser to provide the Kerberos ticket, the browser only provides the ticket if the site is on the whitelist.

  1. Launch the Terminal application.
  2. Create a Kerberos ticket for the account:

    kinit username@example.com

    . . . replacing username@example.com with your actual username and domain. Enter your password when prompted.

  3. Configure the Chrome whitelist:

    $ defaults write com.google.Chrome AuthServerWhitelist "*.example.com"

    $ defaults write com.google.Chrome AuthNegotiateDelegateWhitelist "*.example.com"

    . . . replacing example.com with your actual domain.

Next steps

Activate the Okta IWA Web agent