When the policy agent receives an allow decision from the Policy Service, the following events occur.
The allow decision is cached in the policy agent, along with the session token, so that subsequent requests can be checked using the cache.
It is no longer necessary for the policy agent to contact Access Manager. The cache will expire after an interval has passed or upon an explicit notification of change in policy or session status. The interval is configurable.
The policy agent issues a logging request to the Logging Service.
The Logging Service logs the policy evaluation results to a flat file (which can be signed) or to a JDBC store, depending upon the log configuration.
The Logging Service notifies the policy agent of the new log.
The policy agent allows the user access to the application.
The browser displays the application interface. This basic user session is valid until it is terminated. See Session Termination.
While the user is still logged in, if he attempts to log into another protected resource, then the Single Sign-On session begins.