AM Web Agents 5.x and Java Agents 5.x CDSSO FlowForgeRock Access ManagementBrowserBrowserAgentAgent«oauth2/authorize»Endpoint«oauth2/authorize»EndpointPolicy, Session ServicesPolicy, Session ServicesAuthentication ServiceAuthentication Service1Browse to protected resource.No SSO token for resource domain yetalt[Java Agent]2Set an amFilterCDSSORequest cookieand redirect...The amFilterCDSSORequest cookie holdsinformation consumed when processingthe form submitted in 15[Web Agent]3Redirect...4...to oauth2/authorize endpoint.5If browser presents SSO token,request SSO token validationBlock not executed when Browser requests a resource in the second domain6If SSO token is valid,skip to 14. Otherwise...7Redirect...8...to AM for authentication9Authentication page10Submit credentials11Set valid SSO token with AM domain nameand redirect...12...to oauth2/authorize endpoint13Request SSO token validation14SSO token is valid.15Send self-submitting form withOIDC token having embedded restricted SSO tokenalt[Java Agent]16Form POSTs automatically to anagent endpoint thatconsumes the responseSets cookie domain to FQDN of resourceand validates OIDC token17Redirect, with request to delete theamFilterCDSSORequest cookie...18...to protected resource[Web Agent]19Form POSTs automatically to protected resourcePolicy agent interceptsand validates OIDC token20Request SSO token validation21Response for SSO token validation22Request policy decision23Response for policy decision24Allow access and return resource,or deny access and return HTTP 403