Configure browsers for Windows agentless Desktop Single Sign-on

Microsoft Windows supports agentless Desktop Single Sign-on (ADSSO) using Chrome, Microsoft Edge (Chromium), and Firefox browsers. Previous versions of Microsoft Edge (legacy) aren't supported.

To configure ADSSO, you configure Internet Options in Windows, and then you configure your browser. You can manually configure browsers on each computer, or you can configure them centrally using a Group Policy Object (GPO).

If you have a self-hosted Sign-In Widget, see Third Party Cookies Utilized by the Sign-in Widget for instructions.

ADSSO doesn't work if a user belongs to more than 600 security groups or if the Kerberos token is too large for Okta to consume. If a user with a large Kerberos packet implements or migrates ADSSO, a 400 Bad Request response appears.

Configure Internet Options in Windows 10 or 11

You can configure Internet Options either manually on each computer, or create a GPO and push it to your users’ computers. Do either of these tasks before you configure your browser.

Manual method

Do this task on each computer.

  1. Open the Windows 10 or 11 Control Panel.
  2. Click Network and Internet.
  3. Click Internet Options.
  4. Select the Advanced tab.
  5. Ensure that Enable Integrated Windows Authentication in the Security section is selected.
  6. Click Apply.
  7. Select the Privacy tab.
  8. Click Advanced.
  9. Select Accept under First-party Cookies.
  10. Ensure that Always allow session cookies is selected. If you don’t select this option, neither single nor standard sign-on can work.
  11. Click OK and then OK to close Internet Properties.

Group Policy Object method

You can create a GPO on a Windows server in the domain and push it to all client machines that use ADSSO. Ensure that the GPO includes these settings:

  • Enables Integrated Windows Authentication.
  • Accepts first-party cookies.
  • Always allows session cookies for org.okta.com and org.kerberos.okta.com. Replace org with your org name, and replace okta with oktapreview or okta-emea if required.

Add your Okta org URL to Microsoft Edge

You can configure Microsoft Edge manually on each computer. You can also create a GPO and push the configuration to all client machines that use ADSSO. Do either of these tasks after you configure Internet Options in Windows.

Manual method

Do this task on each computer.

  1. Open the Windows 10 or 11 Control Panel.
  2. Click Network and Internet.
  3. Click Internet Options.
  4. Select the Security tab.
  5. Select Local intranet, and then click Sites.
  6. Click Advanced.
  7. In Add this website to the zone, enter the URL for your Okta org. Use this string as a model: org.kerberos.okta.com. Replace org with your org name, and replace okta with oktapreview or okta-emea if required.
  8. Click Add.
  9. Click Close and then OK on the remaining dialogs.

Group Policy Object method

You can create a GPO on a Windows server in the domain and push it to all client machines that use ADSSO. Do either of these tasks:

  • Create a GPO using the Administrative Template for Microsoft Edge. See Configure Microsoft Edge policy settings on Windows devices.
  • Create a GPO to add org.kerberos.okta.com to Zone 1 (Intranet Sites) in Internet Options. Replace org with your org name, and replace okta with oktapreview or okta-emea if required.

Add your Okta org URL to Chrome

You can configure Chrome either manually or add an entry to the Windows registry on each computer. Do either of these tasks after you configure Internet Options in Windows.

Manual method

Do this task on each computer.

  1. Click Customize and control Google Chrome (the three dots in the upper-right corner).
  2. Select Settings.
  3. Select Privacy and security.
  4. Click Third-party cookies.
  5. In the Sites allowed to use third-party cookies section, click Add.
  6. Enter the URL for your Okta org. Use this string as a model: org.kerberos.okta.com. Replace org with your org name, and replace okta with oktapreview or okta-emea if required.

    If you use a custom domain, add this URL to the CookiesAllowedforURLs content setting.

  7. Click Add.

Windows registry method

Do this task on each computer.

  1. Open the Windows Registry.

  2. Add this entry as a string value:

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome] "AuthServerAllowlist"=org.kerberos.okta.com

    Replace org with your org name, and replace okta with oktapreview or okta-emea if required.

    If you use a custom domain, add this URL to the CookiesAllowedforURLs content setting.

Group Policy Object method

You can create a GPO on a Windows server in the domain and push it to all client machines that use ADSSO. You can use an Administrative Template to create the Group Policy. See Set Chrome Browser policies on managed PCs.

Add your Okta org URL to Mozilla Firefox

Do this task on each computer after you configure Internet Options in Windows.

  1. Open the Firefox web browser, and then enter about:config in the Address bar.
  2. If the Proceed with Caution message appears, click Accept the Risk and Continue.
  3. In the Search preference name field, enter network.negotiate-auth.trusted-uris.
  4. Click Edit and then enter the URL for your Okta org. Use this string as a model: org.kerberos.okta.com. Replace org with your org name, and replace okta with oktapreview or okta-emea if required.
  5. Click Save.

Next steps

Enable agentless Desktop Single Sign-on