# Managing the single sign-on extension in Amazon WorkSpaces Secure Browser
You can enable an extension for your end users to have a better portal sign-on experience. For example, if you use Okta as your portal’s SAML 2.0 identity provider (IdP), and you also use it as the IdP for the websites you want users to visit during a session, you can pass the Okta sign-in cookie to the session with the extension. Afterwards, when users visit a website that requires the Okta domain cookie, they can access the website without having to sign in during the session.
The extension is supported in Chrome and Firefox browsers. The extension enables cookie synchronization for the allowed domains from the users sign-in to the session. The extension does not require the user to sign in, and it works behind the scenes to enable cookie synchronization without requiring the user to take any actions after installation. No data is stored by the extension.
By default, extensions are not enabled in Chrome in Incognito windows or Firefox Private Browsing windows. Users can enable them manually. For more information about Chrome, see [Extensions in Incognito mode](https://support.google.com/chrome/a/answer/13130396?hl=en). For more information about Firefox, see [Extensions in Private Browsing](https://support.mozilla.org/en-US/kb/extensions-private-browsing).
Users are prompted to install the extension when they sign into a portal. For details about the user experience with the extension, see [Single sign-on extension for Amazon WorkSpaces Secure Browser](extension.md).
**Topics**
+ [Identifying domains for the single sign-on extension in Amazon WorkSpaces Secure Browser](identify-domains.md)
+ [Adding the single sign-on extension to a new web portal in Amazon WorkSpaces Secure Browser](extension-new.md)
+ [Adding the single sign-on extension to an existing web portal in Amazon WorkSpaces Secure Browser](extension-existing.md)
+ [Editing or removing the single sign-on extension in Amazon WorkSpaces Secure Browser](remove-extension.md)
# Identifying domains for the single sign-on extension in Amazon WorkSpaces Secure Browser
First, determine which domains you need for your SAML IdP and websites. You can add up to 10 domains.
You are responsible for testing and identifying the appropriate domain for the cookies to be synchronized. Changes might be required at the IdP or website authentication level to ensure single sign-on works as expected.
To see which domains to use with most common IdP, refer to the following table:
**IdP and domains**
| IdP | Domain |
| --- | --- |
| Okta | okta.com |
| Entra ID | microsoftonline.com |
| AWS Identity Center | awsapps.com |
| One Login | onelogin.com |
| Duo | duosecurity.com |
# Adding the single sign-on extension to a new web portal in Amazon WorkSpaces Secure Browser
To allow the extension when creating a new web portal, follow these steps.
1. Follow the steps in [Creating a web portal for Amazon WorkSpaces Secure Browser](getting-started-step1.md) until you get to [Configuring user settings for Amazon WorkSpaces Secure Browser](user-settings.md).
1. For step 1 of [Configuring user settings for Amazon WorkSpaces Secure Browser](user-settings.md), under **User permissions**, choose **Allowed** to enable the extension for your web portal.
1. Enter the domain for cookie synchronization, and choose **Add new domain**.
1. Complete the steps in [Configuring user settings for Amazon WorkSpaces Secure Browser](user-settings.md) and the remaining sections in [Creating a web portal for Amazon WorkSpaces Secure Browser](getting-started-step1.md) to create your web portal.
# Adding the single sign-on extension to an existing web portal in Amazon WorkSpaces Secure Browser
To add the extension to an existing web portal, follow these steps.
1. Open the WorkSpaces Secure Browser console at [https://console.aws.amazon.com/workspaces-web/home](https://console.aws.amazon.com/workspaces-web/home).
1. Select the web portal to edit.
1. Choose **User settings**, **Users permissions**, and **Allowed** to enable the extension for your web portal.
1. Enter the domain for cookie synchronization, choose **Add new domain**.
1. Save your portal changes. The portals will prompt users to install the extension within 15 minutes.
# Editing or removing the single sign-on extension in Amazon WorkSpaces Secure Browser
To edit domains or remove the extension, follow these steps.
1. Open the WorkSpaces Secure Browser console at [https://console.aws.amazon.com/workspaces-web/home](https://console.aws.amazon.com/workspaces-web/home).
1. Select the web portal to edit.
1. Choose **User settings**, **Users permissions**, and **Not allowed** to remove the extension for your web portal.
1. Remove or edit individual domains.
1. Once removed, sessions will no longer synchronize cookies, even if the user has the WorkSpaces Secure Browser extension installed in their browser.