Agentless DSSO is supported on Windows using Chrome, Chromium versions of Microsoft Edge, Internet Explorer, and Firefox. Previous versions of Microsoft Edge (Legacy) aren't supported.
To configure the browsers in a Windows environment for Agentless DSSO:
- Create a Group Policy Object (GPO) on a Windows server in the domain to apply the Integrated Windows Authentication (IWA) and URL settings to all Windows client machines in the domain.
- Enable IWA on the browsers.
- Add Okta to the local intranet in Internet Explorer (IE). The Okta URLs must include https://<myorg>.kerberos.okta.com.
Note: Agentless DSSO doesn't work if a single user has memberships to more than 600 security groups or if the Kerberos token is too large for Okta to currently consume. If a user with a large Kerberos packet implements or migrates Agentless DSSO, a 400 response appears and they'reredirected to the regular sign-in page.
Although this procedure is specific to Internet Explorer, you can use a similar process to configure Chrome and Chromium Edge on Windows.
- Enable IWA on the browsers:
- In Internet Explorer select Tools > Internet Options. On Windows 10 and above, click the Settings icon from the Start menu, and search for Internet Options in the search bar.
- Click the Advanced tab, scroll down to the Security settings, and select Enable Integrated Windows Authentication.
- Click OK.
Note: Make sure that Internet Explorer can save session cookies (Internet Options > Privacy tab). If it can't, neither SSO nor standard sign-in can work.
- Configure the Local Intranet Zone to trust Okta:
- In IE, open Options > Security.
- Click Local Intranet > Sites > Advanced and add the URL for your Okta org as configured in earlier steps. For example: https://<myorg>.kerberos.okta.com.
- Click Close and OK on the other configuration options.
- Create a GPO to roll this out to all client machines that will use agentless DSSO.
The Okta URL must be added to the Chrome allowlist.
Add the following entry as a string value in the registry:[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome] "AuthServerAllowlist"=org.kerberos.okta.com
Note: Replace org.kerberos.okta.com with your Okta org in which Agentless Desktop Single Sign on is configured. For example: acme.kerberos.okta.com.
Open the Firefox web browser, enter
about:configin the Address bar.
- If the Proceed with Caution message appears, click Accept the Risk and Continue.
In the Search preference name field, enter
Click Edit, enter
<org>.kerberos.okta.com, and click Save.