After authentication, when the user’s browser redirects the initial HTTP request to the mail server for a second time, the following events occur.
The policy agent intercepts the second access request.
The request now contains a session token in the same DNS domain as Access Manager.
The policy agent determines the validity of the session token.
The policy agent contacts the Naming Service to learn where the session token originated.
The Naming Service allows clients to find the service URL for the internal services used by Access Manager. This information can then be used for communication regarding a session.
The Naming Service decrypts the session token and returns the corresponding URLs . The URLs will be used by other services to obtain information about the user session.
The policy agent, using the information provided by the Naming Service, makes a POST request to the Session Service to validate the included session token.
The Session Service receives the request and determines whether the session token is valid based on the following criteria:
Has the user been authenticated?
Does a session data structure and session token exist?
If all criteria are met, the Session Service responds that the session token is valid.
This assertion is coupled with supporting information about the user session itself.
The policy agent creates a Session Listener and registers the Session Listener with the Session Service. This enables notification to the policy agent when a change in the session token state or validity occurs.
The next part of the user session is Policy Evaluation.