Assumption: AM is configured as IdP with an external login page (using the “Auth URL” parameter as defined at https://backstage.forgerock.com/docs/am/6.5/saml2-guide/#idp-assertion-processing) and a 5.6.2 Apache Web agent is also used to protect some applications using the same custom login page.
Use case: accessing a SAML based protected app and then an agent protected app require to set the com.forgerock.agents.accept.ipdp.cookie agent parameter to a non default value, otherwise, the SSO will not happen, the user will be redirected to AM when accessing the agent protected app.
Current doc status:
According to https://backstage.forgerock.com/docs/openam-web-policy-agents/5.6/web-agents-guide/#web-agent-profile-properties, about the com.forgerock.agents.accept.ipdp.cookie parameter, the user guide says:
Set this property when your end users access resources protected by both Web Agents 4.x (which use SSO tokens) and 5.x (which use OpenID Connect JWTs). Converting the SSO token to a JWT will ensure a seamless experience to the user without additional redirection or re-authentication.
Requested improvment: mention (in some way, possibly rephrasing and summarizing better than here) that the SAML + agent 5 scenario is also a valid scenario for using the above ipdp.cookie parameter (and thus setting it to a non default value).