The embedded Okta Sign-In Widget cannot authenticate users when Agentless Desktop Single Sign-On (DSSO) acts as the Identity Provider (IdP). If a routing rule evaluates to Agentless DSSO, the widget renders a Sign in with AgentlessDSSO button. Clicking this button generates an error because Agentless DSSO does not support embedded, client-side widgets. Switching the application authentication configuration to a redirect-based model resolves the issue.

When this failure occurs, Okta generates the following error message:

Identity provider is not valid.

• Okta Identity Engine (OIE)
• Okta Sign-In Widget (Embedded)
• Agentless Desktop Single Sign-On (DSSO)

Agentless DSSO is not supported inside an embedded, client-side widget.

How is the Agentless DSSO authentication error resolved?

To utilize Agentless DSSO, switch the application authentication configuration from an embedded model, such as a self-hosted Okta Sign-In Widget, to a redirect-based model.

1. Configure the application to perform a full-page browser redirect to the Okta-hosted sign-in page or custom domain login page to initiate authentication.
2. The browser natively handles the Agentless DSSO Kerberos handshake on the redirect page.
3. Once authenticated, Okta redirects the user seamlessly back to the application with the session tokens.

Related References

• Okta deployment models - redirect vs. embedded | Okta Developer
• Identity Provider Routing Rules | Okta Docs
• Desktop Single Sign-on FAQ | Okta Docs