Desktop Single Sign-on FAQ
Can I use Agentless DSSO while remote?
No. You need to be on-network to sign in through Agentless DSSO. However, if you're using a VPN, Agentless DSSO works.
Do I need to open any special ports for this to work?
No.
Do computers need to be domain joined?
Yes. For Agentless DSSO to work, the computer needs to be domain joined.
Do I need to install an agent on my machines?
No. Agentless DSSO removes the need to have any IWA agents on your machines. Instead, the Kerberos validation is done on the Okta servers.
When troubleshooting I see a 401 error from Okta, does this mean something is failing?
This is the expected behavior. When the end user goes to the browser and types in <myorg>.okta.com, Okta sees that your org has Agentless DSSO enabled. It then kicks off a 401 authenticate challenge to your KDC, which returns a Kerberos ticket back to Okta.
Can I recreate rewrite rules?
No.
Does my UPN domain name suffix need to be the same as the AD domain's primary DNS suffix?
No. Okta uses the user SID to locate and authenticate the user. So it shouldn't matter if they don't match because the request resolves to the user object using SID.
Does Agentless DSSO have any rate limits?
The current rate limit for the Agentless DSSO endpoint (/login/agentlessDSSO) is 1000/minute. This is double the on-premises rate limit as described in Set token rate limits (optional) because each successful sign-in flow performs two http commands to the Agentless DSSO endpoint. The number of successful sign-in flows per minute are the same as on-premises IWA.