Q: Long Dau: How would I go about deploying desktop SSO for multiple domains? Scenario: two different DC's with no trust between their domains but both will share one Okta tenant. Issue I am running into is I can only set one IWA connection as the primary therefor only one domain can SSO at a time. I believe the solution has something to do with the Universal Redirect URL but not sure what to do.
A: Matt Egan, Varian Medical Systems -
We had an identical issue and this is how we solved it (This is just an elaboration of the advice already given by Krish and Ramchand).
No trust between the domains, users are configured uniquely in one domain or the other. Users provisioned in a given domain logon to computers that are joined to a given domain.
Both domains are directory sources in our single Okta org.
We deployed 2 IWA agents (1 in each domain).
We configured CNAME entries in both Zones.
DesktopSSO.domainA.local -> IwaA.domainA.local
DesktopSSO.domainB.local -> IwaB.domainB.local
In Okta we configured Desktop Single Sign-On to "Use global redirect URL" of:
Leveraging the in functionality of appending the primary and connection specific DNS suffixes to unqualified names (*please note there are many configurable deviations to this behavior) a user logged into a computer that is joined to a given domain is going to resolve the unqualified hostname of desktopsso to the fully qualified hostname of the IWA server that is appropriate for their domain.