Migrate from Integrated Windows Authentication to agentless Desktop Single Sign-on

To simplify user access management, Okta encourages you to move from Integrated Windows Authentication (IWA) to agentless Desktop Single Sign-on (ADSSO). Okta is no longer adding new IWA functionality and offers only limited support and bug fixes.

  1. Configure agentless Desktop Single Sign-on.
  2. Set IWA as a failover option for ADSSO:
    1. In the Admin Console, go to Security Delegated Authentication.
    2. In the On-Prem Desktop SSO area, click Edit.
    3. Under Failover, select a fail over setting:
      • Redirect to backup IWA if primary goes offline — When selected, Okta automatically switches to a healthy IWA Web agent if your primary IWA Web agent goes offline. Your AD Agent checks the health of each IWA Web agent that you have set up.
      • Only redirect to primary IWA agent (default) — When selected, if the primary IWA agent goes offline, users are redirected back to the primary IWA agent when it is brought back online. You would typically select this option if you have not configured a backup IWA Web agent or you do not want to redirect users to a global redirect URL.
      • Only redirect to the following URL — When selected, users are redirected to a URL that you specify. This is typically used to direct to a load balancer.
    4. Click Save.
  3. Test your ADSSO configuration. See Test the agentless Desktop Single Sign-on configuration.

  4. Delete routing rules.

    1. In the Admin Console, go to SecurityIdentity ProvidersRouting Rules.

    2. Identify and delete all rules using an identity provider of OnPremDSSO.

    If you use Device Trust on desktop devices, do not complete the next steps until the device trust configuration has been removed prior to or after upgrade.

  5. Make ADSSO active:
    1. In the Admin Console, go to SecurityDelegated Authentication.
    2. Scroll to Agentless Desktop SSO and Silent Activation.
    3. Click Edit and select On.
    4. Scroll down and click Save.
  6. Disable the Okta IWA agent:
    1. In the Admin Console, go to Security Delegated Authentication.
    2. Scroll to On-Prem Desktop SSO.
    3. Click Edit and select Off.
    4. Scroll down and click Save.
  7. Optional. Delete the Okta IWA agent:
    1. In the Admin Console, go to SecurityDelegated Authentication.
    2. Scroll to On-Prem Desktop SSO.
    3. Click Edit and scroll to the IWA Agents section.
    4. Click Delete and Delete Agent in the Delete IWA Agent dialog.
    5. Optional. Repeat step d to delete additional Okta IWA agents.