The authentication scenario discussed in the previous paragraphs, glosses over an important step. When a user’s authentication request is verified, the Access Manager’s session service is engaged (4), as shown in Figure 3–2. The session service generates a session token, which holds the user’s identity information and a token ID (5). The session token is sent back to the policy agent (6) which forwards the token (as a cookie) to the browser (7) from which the authentication request was made.
When the authenticated user attempts to access another secured service, the browser passes the session token to the corresponding policy agent. The policy agent verifies with the session service that the user’s previous authentication remains valid, and the user is granted access to the second service without being asked to re-enter a user ID and password.
Accordingly, a user needs to sign on only once to be authenticated to multiple web-based services provided by Java Enterprise System. The single sign-on authentication remains in effect until the user explicitly signs off or the session expires.