---
title: SSO-only mode
description: Web Agent intercepts all inbound client requests to access a protected resource and processes the request based on the Enable SSO Only Mode property.
component: web-agents
version: 2025.11
page_id: web-agents:user-guide:sso-only-mode
canonical_url: https://docs.pingidentity.com/web-agents/2025.11/user-guide/sso-only-mode.html
---

# SSO-only mode

Web Agent intercepts all inbound client requests to access a protected resource and processes the request based on the [Enable SSO Only Mode](../properties-reference/com.sun.identity.agents.config.sso.only.html) property.

The configuration setting determines the mode of operation that should be carried out on the intercepted inbound request, as follows:

* When `true`, the agent manages user authentication only. The filter invokes the AM Authentication Service to verify the identity of the user. If the identity is verified, the user is issued a session token through AM's session service.

* When `false`, which is the default, the agent also manages user authorization, by using the policy engine in AM.