When a user initiates a user session by using a browser to access and log in to a protected web-based application, the events illustrated in Figure 6–1 occur. The accompanying text describes the model.
The user’s browser sends an HTTP request to the protected resource.
The policy agent that protects the resource intercepts and inspects the user's request and finds no session token.
The policy agent issues a redirect to its configured authentication URL to begin the authentication process.
In this example, the authentication URL it is set to the URL of the Distributed Authentication User Interface.
The browser, following the redirect, sends an HTTP request for authentication credentials to the Distributed Authentication User Interface.
The Session Service creates a new session (session data structure) and generates a session token (a randomly-generated string that identifies the session).
The Authentication Service sets the session token in a cookie.
The next part of the user session is User Authentication.