Configure browsers for Mac agentless Desktop Single Sign-on

Apple Macintosh macOS supports agentless Desktop Single Sign-on (ADSSO) using Safari, Chrome, Microsoft Edge (Chromium), and Firefox browsers.

Ensure that the macOS host is a Windows domain member. To add your macOS host to a Windows domain, see Join your Mac to a network account server.

If you have a self-hosted Sign-In Widget, see Third Party Cookies Utilized by the Sign-in Widget for instructions.

ADSSO doesn't work if a user belongs to more than 600 security groups or if the Kerberos token is too large for Okta to consume. If a user with a large Kerberos packet implements or migrates ADSSO, a 400 Bad Request response appears.

Safari

ADSSO is enabled automatically in Safari on macOS.

Add your Okta org URL to Chrome

You can configure Chrome manually on each computer. You can also use Terminal or a device management solution to push the configuration to all client machines that use ADSSO.

Manual method

Do this task on each computer.

  1. Click Customize and control Google Chrome (the three dots in the upper-right corner).
  2. Select Settings.
  3. Select Privacy and security.
  4. Click Third-party cookies.
  5. In the Sites allowed to use third-party cookies section, click Add.
  6. Enter the URL for your Okta org. Use this string as a model: org.kerberos.okta.com. Replace org with your org name, and replace okta with oktapreview or okta-emea if required.

    If you use a custom domain, add this URL to the CookiesAllowedforURLs content setting.

  7. Click Add.

Terminal or device management method

Use this method to push the changes to all client machines that use ADSSO.

Use these entries as a model. Replace org with your org name, and replace okta with oktapreview or okta-emea if required:

defaults write com.google.Chrome AuthServerAllowlist org.kerberos.okta.com

defaults write com.google.Chrome AuthNegotiateDelegateAllowlist org.kerberos.okta.com

Add your Okta org URL to Microsoft Edge (Chromium)

Configure Microsoft Edge (Chromium) using Terminal or a device management solution to push the configuration to all client machines that use ADSSO.

Use these entries as a model. Replace org with your org name, and replace okta with oktapreview or okta-emea if required:

defaults write com.microsoft.Edge AuthServerAllowlist org.kerberos.okta.com

defaults write com.microsoft.Edge AuthNegotiateDelegateAllowlist org.kerberos.okta.com

Add your Okta org URL to Mozilla Firefox

Configure Firefox manually on each computer.

  1. Open the Firefox web browser, enter about:config in the Address bar, and press Enter.
  2. If the Proceed with Caution message appears, click Accept the Risk and Continue.
  3. In the Search preference name field, enter network.negotiate-auth.trusted-uris.
  4. Click Edit and then enter the URL for your Okta org. Use this string as a model: org.kerberos.okta.com. Replace org with your org name, and replace okta with oktapreview or okta-emea if required.
  5. Click Save.

Next steps

Enable agentless Desktop Single Sign-on