There is now a trend to deploy applications on the cloud. In such deployment, customer does not want to install Policy Agent there. As such, the question was raised.
My response:
Without Policy Agent, if the applications are customizable, they can utilize the OpenAM REST APIs. This is quite common these days. I have another customer that has zero Policy Agent installed in their environment.
https://backstage.forgerock.com/docs/openam/13/dev-guide#rest-api-ssotoken
https://backstage.forgerock.com/docs/openam/13/dev-guide#sec-rest-authz-policy
.
