Desktop Single Sign-on FAQ
Yes. When both are enabled and the user tries to sign in, Okta first tries authenticating against Agentless DSSO and if that fails, it falls back to the on-prem IWA server.
No. You need to be on-network to sign in through Agentless DSSO. However if using a VPN, Agentless DSSO will work.
Yes. In order for Agentless DSSO to work, the computer needs to be domainA domain is an attribute of an Okta organization. Okta uses a fully-qualified domain name, meaning it always includes the top-level domain (.com, .eu, etc.), but does not include the protocol (https). joined.
No. Agentless DSSO removes the need to have any IWA agents on your machines. Instead the KerberosKerberos is a computer-network authentication protocol that works on the basis of tickets to allow nodes communicating over a non-secure network to prove their identity to one another in a secure manner. validation is done on Okta's servers.
No that's expected. When the end user goes to the browser and types in <myorg>.okta.com, Okta sees your orgThe Okta container that represents a real-world organization. has Agentless DSSO enabled and kicks off a 401 authenticate challenge to your KDC which then returns a Kerberos ticket back to Okta.
No. Okta uses the user SID to locate and authenticate the user. So it shouldn't matter if they don't match because the request resolves to the user object using SID.
The current rate limit for the Agentless DSSO endpoint /login/agentlessDSSO is 1000/minute. This is double the on-prem rate limit as described in Concurrent Rate Limits because each successful login performs two http commands to the Agentless DSSO endpoint. The number of successful logins per minute will be the same as on-prem IWA.