Configure browsers for agentless Desktop Single Sign-on on Mac

Make sure that the macOS host is a Windows domain member. For how to add your Macintosh OS/X host to a Windows domain, see macOS Sierra: Join your Mac to a network account server.

Note: Agentless DSSO does not work if a single user has memberships to more than 600 security groups or if the Kerberos token is too large for Okta to currently consume. If a user with a large Kerberos packet implements or migrates Agentless DSSO, a 400 response appears and they are redirected to the regular sign-in page.

Safari

DSSO is enabled automatically in Safari on OS/X.

Chrome

Use Terminal or a device manager such as Jamf to update the Chrome AuthServerAllowlist and AuthNegotiateDelegateAllowlist policy registers to include <org>.kerberos.okta.com:

defaults write com.google.Chrome AuthServerAllowlist org.kerberos.okta.com

defaults write com.google.Chrome AuthNegotiateDelegateAllowlist org.kerberos.okta.com

Chromium Edge

Use Terminal or a device manager such as Jamf to update the AuthServerAllowlist and AuthNegotiateDelegateAllowlist policies to include <org>.kerberos.okta.com:

defaults write com.microsoft.Edge AuthServerAllowlist org.kerberos.okta.com

defaults write com.microsoft.Edge AuthNegotiateDelegateAllowlist org.kerberos.okta.com

Firefox

  1. Open the Firefox web browser, enter about:config in the Address bar, and press Enter.
  2. If the Proceed with Caution message appears, click Accept the Risk and Continue.
  3. In the Search preference name field, enter network.negotiate-auth.trusted-uris.
  4. Click Edit, enter <org>.kerberos.okta.com, and click Save.

Next steps

Enable agentless Desktop Single Sign-on