SSO is always preceded by a basic user session in which a session is created and its session token is validated, and in which the user is authenticated. For detailed information, see Basic User Session.
SSO begins occurs when the authenticated user requests a protected resource on a second server in the same DNS domain. The following example describes an SSO session by tracing what happens when an authenticated user (from Basic User Session) accesses a second application, an expense reporting application. Session Service maintains user session information with input from all applications participating in the single sign-on. In this example, session service maintains information from the benefits administration and the expense reporting application. The following events occur.
The user attempts to access an expense reporting application.
Both the expense reporting application and the benefits administration application from section Basic User Session are hosted by servers in the same domain.
The user’s browser sends An HTTP request to the expense reporting application. The request includes the user’s session token.
The policy agent intercepts and inspects the request to determine whether a session token exists.
A session token indicates the user is already authenticated. The user was authenticated when the user logged in to the benefits administration application, so authentication service is not required at this time. The SSO APIs retrieve the session data structure, which is known to SSO APIs as the SSOToken. The session token, or session ID, is known to SSO APIs as the SSOTokenID.
The policy agent determines the validity of the session.
For detailed steps, see Session Validation.
The Session Service sends a reply to the policy agent indicating whether the SSOToken is valid.
If the SSOToken is not valid, then the user is redirected to the Authentication page.
If the SSOToken is valid, Session Service creates a Session Listener.
A Session Listener allows notification to the policy agent when a change in the SSOToken state or validity occurs.
The policy agent sends a request to the Policy Service.
The request asks for a decision regarding resources in the policy agent’s portion of the HTTP namespace.
The Policy Service checks for policies that apply to the request.
If Policy Service does not find policy allowing access to the protected resource, the user is denied access. The following events occur:
The Logging Service logs this denial of access.
The policy agent issues a Forbidden message to the user.
The user can then be redirected to an administrator-specified page indicating the user was denied access.
If Policy Service finds policy allowing access to the protected resource, the user is granted access to the protected resource.
The SSO session is valid until it is terminated. Session Termination.
While the user is still logged in, if the user decides to attempt to log in to another protected resource located in a different DNS domain, then CDSSO takes place.