The pre-login process establishes a valid Access Manager session. When a principal attempts to access a service provider site and no Access Manager session token is found, Access Manager searches for a federation cookie. A federation cookie is implemented by Access Manager and is called fedCookie. It can have a value of either yes or no, based on the principal’s federation status.
A federation cookie is not defined in the Liberty Alliance Project specifications.
At this point, the pre-login process may take one of the following paths:
If a federation cookie is found and its value is no, an Access Manager login page is displayed and the principal submits credentials to the proprietary Authentication Service. When authenticated by Access Manager, the principal is redirected to the requested page, which might contain a link to allow for identity federation. If the principal clicks this link, federation begins. See Federation and Single Sign-On for details.
If a federation cookie is found and its value is yes, the principal has already federated an identity but has not been authenticated by an identity provider within the authentication domain for this Access Manager session. Authentication to Access Manager is achieved on the back end by sending a request to the principal’s identity provider. After authentication, the principal is directed back to the requested page.
If no federation cookie is found, a passive authentication request (one that does not allow identity provider interaction with the principal) is sent to the principal’s identity provider. If an affirmative authentication is received back from the identity provider, the principal is directed to the Access Manager Authentication Service, where a session token is granted. The principal is then redirected to the requested page. If the response from the identity provider is negative (for example, if the session has timed out), the principal is sent to a common login page to complete either a local login or Liberty-based federation. See Federation and Single Sign-On for details.
This pre-login process is the default behavior of Access Manager. This process might change based on parameters passed to Access Manager from the participating application. For more details, see the section on The Pre-login URL.