When your client machines are domain-joined and you want your SSO to be seamless, you need to use Integrated Windows Authentication (IWA). IWA will only work when your client machines can contact your internal Single Sign On Host Server either through VPN or when on the corporate network in the office.


IWA for OS X Clients

Mozilla Firefox

Note: Firefox requires your IWA service to be using https.

  1. Open Firefox and navigate to about:config

  2. Edit the following settings:

    SettingValue
    network.negotiate-auth.delegation-urisInternalSSOHostserver.domain.com
    network.automatic-ntlm-auth.trusted-urisInternalSSOHostserver.domain.com
    network.automatic-ntlm-auth.allow-proxiesTrue
    network.negotiate-auth.allow-proxiesTrue

Google Chrome
 

Use Automator to create an application that launches Chrome with the command line parameter.

 
  1. Start Automator and select Application.
  2. Double-click Run Shell Script in the Library folder and replace — cat — with the following:

    open -a "Google Chrome" --args --auth-server-whitelist="InternalSSOHostserver.domain.com"

    Note: The companyname.com value refers to the server hosting the Okta IWA web application.

Save the script and use it when starting a Chrome session that uses Chrome's IWA capability.

 

Safari

Safari supports IWA natively on Macs that are domain-joined (joined to a network account server).  For instructions on joining your Mac's to your domain see this article by Apple OS X El Capitan: How to join your Mac to a network account server


References:

Configuration Desktop SSO with Okta