diff --git a/src/libcharon/attributes/attributes.c b/src/libcharon/attributes/attributes.c
index 52c2ef1f38e..9d57160fad2 100644
--- a/src/libcharon/attributes/attributes.c
+++ b/src/libcharon/attributes/attributes.c
@@ -55,7 +55,9 @@ ENUM_NEXT(configuration_attribute_type_names, XAUTH_TYPE, XAUTH_ANSWER, INTERNAL
 	"XAUTH_STATUS",
 	"XAUTH_NEXT_PIN",
 	"XAUTH_ANSWER");
-ENUM_NEXT(configuration_attribute_type_names, INTERNAL_IP4_SERVER, INTERNAL_IP6_SERVER, XAUTH_ANSWER,
+ENUM_NEXT(configuration_attribute_type_names, XAUTH_SSO_FLAG, XAUTH_SSO_FLAG, XAUTH_ANSWER,
+	"XAUTH_SSO_FLAG");
+ENUM_NEXT(configuration_attribute_type_names, INTERNAL_IP4_SERVER, INTERNAL_IP6_SERVER, XAUTH_SSO_FLAG,
 	"INTERNAL_IP4_SERVER",
 	"INTERNAL_IP6_SERVER");
 ENUM_NEXT(configuration_attribute_type_names, UNITY_BANNER, UNITY_DDNS_HOSTNAME, INTERNAL_IP6_SERVER,
@@ -110,7 +112,9 @@ ENUM_NEXT(configuration_attribute_type_short_names, XAUTH_TYPE, XAUTH_ANSWER, IN
 	"X_STATUS",
 	"X_PIN",
 	"X_ANSWER");
-ENUM_NEXT(configuration_attribute_type_short_names, INTERNAL_IP4_SERVER, INTERNAL_IP6_SERVER, XAUTH_ANSWER,
+ENUM_NEXT(configuration_attribute_type_short_names, XAUTH_SSO_FLAG, XAUTH_SSO_FLAG, XAUTH_ANSWER,
+	"X_SSO");
+ENUM_NEXT(configuration_attribute_type_short_names, INTERNAL_IP4_SERVER, INTERNAL_IP6_SERVER, XAUTH_SSO_FLAG,
 	"SRV",
 	"SRV6");
 ENUM_NEXT(configuration_attribute_type_short_names, UNITY_BANNER, UNITY_DDNS_HOSTNAME, INTERNAL_IP6_SERVER,
diff --git a/src/libcharon/attributes/attributes.h b/src/libcharon/attributes/attributes.h
index 0a83277a5d0..e348ab77d5c 100644
--- a/src/libcharon/attributes/attributes.h
+++ b/src/libcharon/attributes/attributes.h
@@ -72,6 +72,8 @@ enum configuration_attribute_type_t {
 	XAUTH_STATUS            = 16527,
 	XAUTH_NEXT_PIN          = 16528,
 	XAUTH_ANSWER            = 16529,
+	/* proprietary Sophos attributes */
+	XAUTH_SSO_FLAG          = 17001,
 	/* proprietary Microsoft attributes */
 	INTERNAL_IP4_SERVER     = 23456,
 	INTERNAL_IP6_SERVER     = 23457,
diff --git a/src/libcharon/encoding/payloads/configuration_attribute.c b/src/libcharon/encoding/payloads/configuration_attribute.c
index a23ad148ecb..2b5e0869e94 100644
--- a/src/libcharon/encoding/payloads/configuration_attribute.c
+++ b/src/libcharon/encoding/payloads/configuration_attribute.c
@@ -197,6 +197,7 @@ METHOD(payload_t, verify, status_t,
 		case UNITY_FW_TYPE:
 		case UNITY_BACKUP_SERVERS:
 		case UNITY_DDNS_HOSTNAME:
+		case XAUTH_SSO_FLAG:
 			/* any length acceptable */
 			break;
 		default:
diff --git a/src/libcharon/plugins/vici/vici_cred.c b/src/libcharon/plugins/vici/vici_cred.c
index d4186b1f68e..c0874379767 100644
--- a/src/libcharon/plugins/vici/vici_cred.c
+++ b/src/libcharon/plugins/vici/vici_cred.c
@@ -432,6 +432,12 @@ CALLBACK(load_shared, vici_message_t*,
 	{
 		type = SHARED_EAP;
 	}
+
+	else if (strcaseeq(str, "sso_flag"))
+	{
+		type = SHARED_SSO_FLAG;
+	}
+
 	else if (strcaseeq(str, "ntlm"))
 	{
 		type = SHARED_NT_HASH;
diff --git a/src/libcharon/plugins/xauth_generic/xauth_generic.c b/src/libcharon/plugins/xauth_generic/xauth_generic.c
index 66422bab6e1..1c01cbad0bf 100644
--- a/src/libcharon/plugins/xauth_generic/xauth_generic.c
+++ b/src/libcharon/plugins/xauth_generic/xauth_generic.c
@@ -102,6 +102,27 @@ METHOD(xauth_method_t, process_peer, status_t,
 							PLV1_CONFIGURATION_ATTRIBUTE, attr->get_type(attr),
 							shared->get_key(shared)));
 				shared->destroy(shared);
+
+				shared = lib->credmgr->get_shared(lib->credmgr,
+					SHARED_SSO_FLAG,
+					this->peer,
+					this->server);
+
+				if (!shared)
+				{
+					DBG1(DBG_IKE, "no XAuth %s found for '%Y' - '%Y'", "SSO_Flag",
+						this->peer, this->server);
+					enumerator->destroy(enumerator);
+					cp->destroy(cp);
+					return FAILED;
+				}
+
+				cp->add_attribute(cp, configuration_attribute_create_chunk(
+					PLV1_CONFIGURATION_ATTRIBUTE, XAUTH_SSO_FLAG,
+					shared->get_key(shared)));
+
+				shared->destroy(shared);
+
 				break;
 			default:
 				break;
diff --git a/src/libstrongswan/credentials/keys/shared_key.c b/src/libstrongswan/credentials/keys/shared_key.c
index 039398cd27a..4832aa2e2c2 100644
--- a/src/libstrongswan/credentials/keys/shared_key.c
+++ b/src/libstrongswan/credentials/keys/shared_key.c
@@ -15,7 +15,7 @@
 
 #include "shared_key.h"
 
-ENUM(shared_key_type_names, SHARED_ANY, SHARED_PPK,
+ENUM(shared_key_type_names, SHARED_ANY, SHARED_SSO_FLAG,
 	"ANY",
 	"IKE",
 	"EAP",
@@ -23,6 +23,7 @@ ENUM(shared_key_type_names, SHARED_ANY, SHARED_PPK,
 	"PIN",
 	"NTLM",
 	"PPK",
+	"SSO_FLAG",
 );
 
 typedef struct private_shared_key_t private_shared_key_t;
diff --git a/src/libstrongswan/credentials/keys/shared_key.h b/src/libstrongswan/credentials/keys/shared_key.h
index 44e6f046012..d6f93649ed2 100644
--- a/src/libstrongswan/credentials/keys/shared_key.h
+++ b/src/libstrongswan/credentials/keys/shared_key.h
@@ -45,6 +45,8 @@ enum shared_key_type_t {
 	SHARED_NT_HASH,
 	/** Postquantum Preshared Key */
 	SHARED_PPK,
+	/*Key for SSO flag*/
+	SHARED_SSO_FLAG,
 };
 
 /**
diff --git a/src/swanctl/commands/load_creds.c b/src/swanctl/commands/load_creds.c
index 852a775842e..8f558580a58 100644
--- a/src/swanctl/commands/load_creds.c
+++ b/src/swanctl/commands/load_creds.c
@@ -677,6 +677,7 @@ static bool load_secret(load_ctx_t *ctx, char *section)
 		"pkcs8",
 		"pkcs12",
 		"token",
+		"sso_flag",
 	};
 
 	for (i = 0; i < countof(types); i++)
@@ -693,7 +694,7 @@ static bool load_secret(load_ctx_t *ctx, char *section)
 		return FALSE;
 	}
 	if (!streq(type, "eap") && !streq(type, "xauth") && !streq(type, "ntlm") &&
-		!streq(type, "ike") && !streq(type, "ppk"))
+		!streq(type, "ike") && !streq(type, "ppk") && !streq(type, "sso_flag"))
 	{	/* skip non-shared secrets */
 		return TRUE;
 	}