Just to clarify one point, when I said that "It actually allows you to set SM_USER to the value of any attribute in the user's record", what actually happens is that an active response fires on an OnAuthAccept event, causing a redirect to an FCC that triggers a new authentication via the SmOverrideAuth auth scheme. When the FCC is accessed, another active response fires setting the "username" field of the FCC to the user's loginID or the value of any user store parameter and puts an encrypted token into the password field. The auth scheme will only signal success if it gets an encrypted token it can decrypt, and if the user identity in the encrypted token matches the username set in the FCC. The net effect is that a new SMSESSION is created with a new loginID in the cookie which doesn't have the domain prefix in it.