Web Policy Agents 5.9.1

Accept SSO Token

A flag for whether the agent accepts SSO tokens and ID tokens as session cookies:

  • 0. The agent does not accept SSO tokens as session cookies.

  • 1. The agent accepts both SSO tokens and ID tokens as session tokens during the login flow, and afterwards. SSO tokens are not converted to ID tokens. Set this property to 1 only for environments migrating from earlier versions of the agent, in the following scenarios:

    • Your custom login pages use SSO tokens as session tokens, and Enable Custom Login Mode is set to 2.

    • Your applications, for example, REST or JavaScript clients, can only set SSO tokens.

The SSO token name is given by Cookie Name.

If the agent receives a request with both an SSO token and an ID token, it checks the ID token first. If invalid, it checks the SSO token. If both are invalid, the agent redirects the user for authentication.

The agent caches session information for SSO tokens.

Configure this property with Enable Custom Login Mode, as described in Login Redirect Configuration Options.

This property requires AM 6 or later versions.

Default: 0

Property name


Property aliases

com.forgerock.agents.accept.sso.token (since 5.7)



Bootstrap property


Required property


Restart required


AM console tab

SSO (Available in the console from AM 6.5)

Copyright © 2010-2023 ForgeRock, all rights reserved.