When the policy agent receives a decision from the Policy Service, the events illustrated in Figure 6–5 occur.
The decision and session token are cached by the policy agent so subsequent requests can be checked using the cache (without contacting OpenSSO Enterprise).
The cache will expire after a (configurable) interval has passed or upon explicit notification of a change in policy or session status.
The policy agent issues a logging request to the Logging Service.
The Logging Service logs the policy evaluation results to a flat file (which can be signed) or to a JDBC store, depending upon the log configuration.
The Logging Service notifies the policy agent of the new log.
The policy agent allows or denies the user access to the application.
If the user is denied access, the policy agent displays an “access denied” page.
If the user is granted access, the resource displays its access page.
Assuming the browser displays the application interface, this basic user session is valid until it is terminated. See Session Termination for more information. While logged in, if the user attempts to log into another protected resource, the Single Sign-On Session begins.