00ubtjj6dnxXlBgPb0h1.5504872016347173E12 (Customer) asked a question.
Seamless SSO issues for remote workers
Templafy (SP in this context) has multiple customers using Okta as their IdP to authenticate to Templafy Desktop Application. While majority can authenticate seamlessly when connected to corporate network (domain joined devices), either by being in the office or VPN, seamless SSO (login without user's interaction) does not succeed when working remotely, users are asked for their credentials.
Is this expected behavior or is there anything the customer can adjust in their setup to facilitate quiet login also when outside the company network?
Hello @00ubtjj6dnxXlBgPb0h1.5504872016347173E12 (Customer) Thank you for reaching out to our community.
Without much context from the network environment, best guess here would be that they use IWA authentication on corporate network (https://help.okta.com/en/prod/Content/Topics/Directory/Configuring_Desktop_SSO.htm) which this would allow them to Seamless SSO, outside of the corporate network it would be expected to not work.
Or if they are on the new OIE engine they might be using FastPass for authentication (https://www.okta.com/fastpass/).
Hope this helps!
Hi Paul,
Thank you for your response.
After looking into the log files from our application, I can see users being redirected to
https:// ****.okta.com/login/agentlessDsso/auth . I presume that means they are using Agentless Desktop SSO not IWA.
Additionally, I found on your support pages that Agentless Dsso will not work when working remote, VPN is required for the Seamless SSO to succeed. See here: https://help.okta.com/en/prod/Content/Topics/Directory/dsso-faq.htm
Is there any setup Okta supports that would cater Seamless SSO for remote workers?
Hello @00ubtjj6dnxXlBgPb0h1.5504872016347173E12 (Customer) Authentication is done based on Network zone, is they can configure that for users that are outside of the network then yes that can work. However most users will have dynamic IP and not static, which in this case this will mostly be very hard to configure.