The Policy Agent Process

The process for protected web resources begins when a web browser requests a URL that resides on a server protected by the policy agent. The server’s installed policy agent intercepts the request and checks for existing authentication credentials (a session token).

If the agent has intercepted a request and validated the existing session token, the following process is followed.

1. If the session token is valid, the user is allowed or denied access. If the token is invalid, the user is redirected to the Authentication Service, as outlined in the following steps.

   Assuming the agent has intercepted a request for which there is no existing session token, the agent redirects the user to the login page even if the resource is protected using a different authentication method.

2. Once the user’s credentials are properly authenticated, the agent issues a request to the Naming Service which defines the URLs used to connect to Access Manager’s internal services.

3. If the resource matches the non-enforced list, configured at the agent, access is allowed.

4. The Naming Service returns locators for the policy service, session service and logging service.

5. The agent sends a request to the Policy Service to get policy decisions applicable to the user.

6. Based on the policy decisions for the resource being accessed, the user is either allowed or denied access. If advice on the policy decision indicates a different authentication level or authentication mechanism, the agent redirects the request to the Authentication Service until all criteria is validated.