--- title: Web or Java agents SSO and SLO description: You can use web agents and Java agents in a SAML 2.0 Federation deployment. component: pingam version: 8.1 page_id: pingam:am-saml2:using-saml2-with-policy-agents canonical_url: https://docs.pingidentity.com/pingam/8.1/am-saml2/using-saml2-with-policy-agents.html keywords: ["SAML 2.0", "Single Sign-on (SSO)", "Federation", "Java", "Agents"] page_aliases: ["saml2-guide:using-saml2-with-policy-agents.adoc"] section_ids: policy-agent-with-saml2: Use web or Java agents with a SAML 2.0 SP --- # Web or Java agents SSO and SLO You can use web agents and Java agents in a SAML 2.0 Federation deployment. Configuring agents to work alongside AM when performing SAML 2.0 single sign-on and single logout involves altering the URLs the agents use for logging in unauthenticated users, and logging users out. ## Use web or Java agents with a SAML 2.0 SP This procedure applies when AM is configured as an IdP in one domain, and a web or Java agent protects resources on behalf of a second AM server, configured as an SP, on a second domain. 1. Install the web or Java agent, as described in the [Web Agents documentation](https://docs.pingidentity.com/web-agents/2025.3/installation-guide/preface.html) or the [Java Agents documentation](https://docs.pingidentity.com/java-agents/2025.3/installation-guide/preface.html). The following steps will guide you to configure the agent through the AM admin UI. If your agent is not using the centralized configuration mode, make the changes to the noted properties in the configuration file of the agent instead: `agent.conf` for the web agent or `AgentConfiguration.properties` for the Java agent. 2. When using *web* agents: * In the AM admin UI of the SP, go to Realms > *realm name* > Applications > Agents > Web > *agent name* > AM Services. * When using [integrated mode SSO](saml2-integrated-mode.html): * Set the AM Login URL List property (`com.sun.identity.agents.config.login.url`) to the authentication tree that contains the [SAML2 Authentication node](https://docs.pingidentity.com/auth-node-ref/8.1/saml2.html). For example: ``` https://www.sp.com:8443/am/XUI/#login/&service=mySAMLTree ``` * When using [standalone mode SSO](saml2-standalone-mode.html): * Set the AM Login URL List property (`com.sun.identity.agents.config.login.url`) to the URL of the SP-initiated SSO URL, including the parameters necessary for initiating SSO. For example: ``` https://www.sp.com:8443/am/spssoinit ?metaAlias=/sp &idpEntityID=https%3A%2F%2Fwww.idp.com%3A8443%2Fopenam ``` * Add the SP-initiated SLO URL to the AM Logout URL property (`com.sun.identity.agents.config.logout.url`). For example: ``` https://www.sp.com:8443/am/SPSloInit ?binding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect &RelayState=http%3A%2F%2Fwww.sp.com ``` * Save your changes. 3. Set the Enable Custom Login Mode (`org.forgerock.openam.agents.config.allow.custom.login`) property to `1`. 4. Disable the Invalidate Logout Session property (`org.forgerock.agents.config.logout.session.invalidate` set to `false`). 5. When using *Java* agents: * In the AM admin UI of the SP, go to Realms > *realm name* > Applications > Agents > Java > *agent name* > AM Services. * When using [integrated mode SSO](saml2-integrated-mode.html): * Set the AM Login URL List property (`com.sun.identity.agents.config.login.url`) to the authentication tree that contains the [SAML2 Authentication node](https://docs.pingidentity.com/auth-node-ref/8.1/saml2.html). For example: ``` https://www.sp.com:8443/am/XUI/#login/&service=mySAMLTree ``` * When using [standalone mode SSO](saml2-standalone-mode.html): * Set the AM Login URL List property (`com.sun.identity.agents.config.login.url`) to the SP-initiated SSO URL, including the parameters necessary for initiating SSO. For example: ``` https://www.sp.com:8443/am/spssoinit ?metaAlias=/sp &idpEntityID=https%3A%2F%2Fwww.idp.com%3A8443%2Fopenam ``` * Add the SP-initiated SLO URL to the AM Logout URL property (`com.sun.identity.agents.config.logout.url`). For example: ``` https://www.sp.com:8443/am/SPSloInit ?binding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect &RelayState=http%3A%2F%2Fwww.sp.com ``` * Enable the Enable Custom Login Mode property (set the `org.forgerock.openam.agents.config.allow.custom.login` to `true`). * Enable the Convert SSO Tokens Into OIDC JWTs property (set the `org.forgerock.agents.accept.ipdp.cookie.enabled` to `true`). * Save your changes.