Java Policy Agents 2024.3

Convert SSO Tokens Into OIDC JWTs

For each incoming request, the agent looks for an OIDC JWT in the cookie named by JWT Cookie Name. Set this property as follows:

  • true: Use this value to allow users to access resources protected with systems that continue to use SSO tokens, and to use the default login redirection mode.

    • If the agent does not find a JWT in the cookie, the agent looks for an SSO token in the iPDP cookie defined during AM installation. During agent startup, the agent retrieves the name of this cookie from AM.

    • If the agent finds an SSO token in the iPDP cookie, it makes a request to AM to convert the SSO token into an OIDC JWT.

    • The agent caches the SSO token, so that if it is presented in another incoming request, the agent substitutes the JWT without making a request to AM.

    • If the agent does not find either token, authentication fails. The user can only access resources that are available through not-enforced rules.

  • false: Do not convert SSO tokens into OIDC JWTs.

Property name



  Introduced in Java Agent 5.6
  Recognized from AM 7

  Introduced in Java Agent 5.7


SSO cookie handling


Boolean: true returns true; all other strings return false.



Bootstrap property


Required property


Restart required


Local configuration file

AM console

Tab: SSO (from AM 7)

Title: Convert SSO Tokens Into OIDC JWTs

Legacy title: Convert SSO Tokens into OpenID Connect JWTs

Copyright © 2010-2024 ForgeRock, all rights reserved.