Mulit-Domain SSO Skip to main content
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.

Mulit-Domain SSO

Oct 19, 2015 | by Thomas Hill in Getting Started

Q: Long Dau: How would I go about deploying desktop SSO for multiple domains? Scenario: two different DC's with no trust between their domains but both will share one Okta tenant. Issue I am running into is I can only set one IWA connection as the primary therefor only one domain can SSO at a time. I believe the solution has something to do with the Universal Redirect URL but not sure what to do.
A: Matt Egan, Varian Medical Systems -

We had an identical issue and this is how we solved it (This is just an elaboration of the advice already given by Krish and Ramchand).

Our structure



No trust between the domains, users are configured uniquely in one domain or the other. Users provisioned in a given domain logon to computers that are joined to a given domain.

Both domains are directory sources in our single Okta org.

We deployed 2 IWA agents (1 in each domain).



We configured CNAME entries in both Zones.

DesktopSSO.domainA.local -> IwaA.domainA.local

DesktopSSO.domainB.local -> IwaB.domainB.local

In Okta we configured Desktop Single Sign-On to "Use global redirect URL" of:


Leveraging the in functionality of appending the primary and connection specific DNS suffixes to unqualified names (*please note there are many configurable deviations to this behavior) a user logged into a computer that is joined to a given domain is going to resolve the unqualified hostname of desktopsso to the fully qualified hostname of the IWA server that is appropriate for their domain.