When your client machines are domain-joined and you want your SSO to be seamless, you need to use Integrated Windows Authentication (IWA). IWA will only work when your client machines can contact your internal Single Sign On Host Server either through VPN or when on the corporate network in the office.
IWA for OS X Clients
Note: Firefox requires your IWA service to be using https.
- Open Firefox and navigate to about:config
Edit the following settings:
Setting Value network.negotiate-auth.delegation-uris InternalSSOHostserver.domain.com network.automatic-ntlm-auth.trusted-uris InternalSSOHostserver.domain.com network.automatic-ntlm-auth.allow-proxies True network.negotiate-auth.allow-proxies True
Use Automator to create an application that launches Chrome with the command line parameter.
- Start Automator and select Application.
- Double-click Run Shell Script in the Library folder and replace — cat — with the following:
open -a "Google Chrome" --args --auth-server-whitelist="InternalSSOHostserver.domain.com"
Note: The companyname.com value refers to the server hosting the Okta IWA web application.
Safari supports IWA natively on Macs that are domain-joined (joined to a network account server). For instructions on joining your Mac's to your domain see this article by Apple OS X El Capitan: How to join your Mac to a network account server