In an agentless DSSO (Desktop Single Sign-on) scenario Okta is the one decrypting the Kerberos ticket, finds then the user name, authenticates the user and passes back a session to the browser.

In an agentless DSSO (Desktop Single Sign-on) scenario Okta is the one decrypting the Kerberos ticket, finds then the user name, authenticates the user and passes back a session to the browser. Solution: The statement is valid, but Okta is not the one doing decryption – the browser is doing thatA . YesB ....