Make sure that the macOS host is a Windows domain member. For how to add your Macintosh OS/X host to a Windows domain, see macOS Sierra: Join your Mac to a network account server.
Note: Agentless DSSO does not work if a single user has memberships to more than 600 security groups or if the Kerberos token is too large for Okta to currently consume. If a user with a large Kerberos packet implements or migrates Agentless DSSO, a 400 response appears and they are redirected to the regular sign-in page.
DSSO is enabled automatically in Safari on OS/X.
Use Terminal or a device manager such as Jamf to update the Chrome AuthServerAllowlist and AuthNegotiateDelegateAllowlist policy registers to include
defaults write com.google.Chrome AuthServerAllowlist org.kerberos.okta.com
defaults write com.google.Chrome AuthNegotiateDelegateAllowlist org.kerberos.okta.com
Use Terminal or a device manager such as Jamf to update the AuthServerAllowlist and AuthNegotiateDelegateAllowlist policies to include
defaults write com.microsoft.Edge AuthServerAllowlist org.kerberos.okta.com
defaults write com.microsoft.Edge AuthNegotiateDelegateAllowlist org.kerberos.okta.com
Open the Firefox web browser, enter
about:configin the Address bar, and press Enter.
- If the Proceed with Caution message appears, click Accept the Risk and Continue.
In the Search preference name field, enter
Click Edit, enter
<org>.kerberos.okta.com, and click Save.