So I did finally get it working. The disconnect in my head was that you
have to whitelist the internal server where you have the Okta agent
running, while I was trying to whitelist *.okta.com.
Anyone get this working? @dan.snelson - I ran the script, checked the
pref file and the Okta tld is set for AuthNegotiateDelegateWhitelist and
AuthServerWhitelist, but I'm still getting a request for credentials
when I hit our test page.
Interesting. defaults read /Library/Preferences/com.apple.loginwindow
lastUserName returns a value of _mbsetupuser for me when run by a AD
user from a Mac bound to AD.