---
title: SSO-only mode
description: "Configure PingAM Web Agent in SSO-only mode to manage user authentication without policy enforcement, using PingAM's authentication service to verify identity."
component: web-agents
version: 2026
page_id: web-agents:user-guide:sso-only-mode
canonical_url: https://docs.pingidentity.com/web-agents/2026/user-guide/sso-only-mode.html
---

# SSO-only mode

Web Agent intercepts all inbound client requests to access a protected resource and processes the request based on the [Enable SSO Only Mode](../properties-reference/com.sun.identity.agents.config.sso.only.html) property.

The configuration setting determines the mode of operation that should be carried out on the intercepted inbound request, as follows:

* When `true`, the agent manages user authentication only. The filter invokes the AM Authentication Service to verify the identity of the user. If the identity is verified, the user is issued a session token through AM's session service.

* When `false`, which is the default, the agent also manages user authorization, by using the policy engine in AM.