- In the Admin Console, go to .
- Scroll to Agentless Desktop SSO.
- Click Edit and select a DSSO mode:
- Test: Allows you to test DSSO by signing in using the direct agentless DSSO endpoint URL: https://myorg.okta.com/login/agentlessDsso.
- On: Allows you to enable SSO in production and lets users sign in from the default sign-in endpoint, routing through the agentless DSSO sign-in endpoint. The end user doesn't need to explicitly type in the DSSO URL.
- For Allowed network zones, add the zones that are associated with the machines from which you're implementing agentless DSSO.
When Identity Provider (IdP) Discovery is turned on, the network zone options aren't available. If IdP Discovery and agentless DSSO are both on, agentless DSSO network zones are controlled through the IdP routing rules. You update the default IdP routing rule in Update the default Desktop Single Sign-on Identity Provider routing rule .
- In AD Instances, select the Active Directory instance on which you configured the SPN.
- Complete these fields to configure Agentless DSSO for the selected AD domain:
Desktop SSO: Select Enabled or Disabled depending on whether you're enabling for production or testing.
Service account username: This is the AD sign-in name without any domain suffix or Netbios name prefix. (See Create a service account and configure a Service Principal Name.) It can be the sAMAccountName or the username part of the UPN. These two may be the same string unless the org admin chose to use different values.
This field is case-sensitive. When the UPN prefix differs from sAMAccountName, the service account username must be the same as the UPN and include the domain suffix. For example, agentlessDsso@mydomain.com.
When the service account username and the AD user account name don’t match, Agentless DSSO can fail. When this happens, you're returned to the default sign-in page and a GSS_ERR error appears in the System Log. The service account username and the AD user account are case sensitive and must match when AES encryption is enabled on the service account.
Service account password: Password for the account that you created in AD.
- Validate service account credential on save: Optional. Not case sensitive. Validates the service account credentials as an optional step in saving the Kerberos realm configuration. If it's checked, the AD agent authenticates the service account. If the credentials can't be validated, an error message appears. If you don't want to validate or can't because the AD agent isn't responsive, you can clear the box to skip the validation.
- Click Save.