Java Policy Agents 5.9.1

OAuth Login URL List

AM Conditional Login URL

Use this property in the default configuration (where Enable Custom Login Mode is false and AM Login URL List is empty).

Conditionally redirect unauthenticated requests based on the requested URL.

If the incoming request URL matches a domain name in this list, the agent redirects the unauthenticated request to the specified URL for login. The URL can be an AM instance, site, or a different website.

If Enable FQDN Checking is true, the agent iterates through the list of URLs until it finds an appropriate redirect URL that matches the FQDN check values. Otherwise, the agent redirects the user to the URL configured in the conditional redirect rules.

During the redirect, the agent appends the goto parameter configured in Goto Parameter Name, and a nonce parameter, to the agent’s CDSSO endpoint.

Format, with no spaces between values:



The incoming request URL:

  • Domain: For example, The agent must match the domain and its subdomains. For example, matches and Domains can also include path information, for example,, but cannot specify ports.

  • Subdomain: For example, The agent match the domain, the subdomain, and any sub-subdomain. For example, matches Subdomains can include path information, for example,, but cannot specify ports.

  • Path: For example, /myapp.

  • No value: Nothing is specified before the | character and the rule applies to every incoming request.


The URL to which redirect incoming login requests. The URL may be an AM instance, an AM site, or a website other than AM.

Specify a URL in the format protocol://FQDN[:port]/URI, where the port is optional if it is 80 or 443. For example:

If the redirection URL is not specified, the agent redirects the request to the AM instance or site specified by the following bootstrap properties:


The AM realm into which the agent logs the users. For example, ?realm=marketplace.

When redirecting to AM’s XUI, use an ampersand (&) instead of a question mark (?). For example,

You do not need to specify the realm in the login URL if any of the following conditions is true:

  • The custom login page itself sets the realm parameter, for example, because it lets the user choose it. In this case, you must ensure the custom login page always returns a realm parameter to the agent.

  • The realm that the agent is logging the user into has DNS aliases configured in AM.

  • AM logs the user into the realm whose DNS alias matches the incoming request URL. For example, an inbound request from the URL logs in the marketplace realm if the realm alias is set to

  • The users should always log in to the Top Level Realm.


Parameters that can be added to the URL. Add as many parameters as your custom login pages need. Chain parameters with an ampersand (&), for example, realm=value&parameter1=value1&parameter2=value2.





Property name


Property aliases

org.forgerock.agents.oauth.login.url.list (since 5.6)

org.forgerock.openam.agents.config.conditional.login.url (since 5.6)



Bootstrap property


Required property


Restart required


Local configuration file

AM console tab

AM Services

Copyright © 2010-2023 ForgeRock, all rights reserved.