A client accesses
APM provides a session cookie to the client, and redirects the client to the logon page in
the per-session policy.
APM authenticates the client using the Windows Active Directory server.
The session reaches the Allow ending in the per-session policy; now it's in the Allow state
and moves to the per-request policy.
Since the user request does not contain
, the URL
branching follows the fallback branch and is allowed with no further action.
If the client clicks a link to sensitive info, the per-request policy runs again, but this
time the URL branching action follows the
APM calls the SAML Step-Up subroutine. Because there is no previous subsession decision data
for the SAML Step-Up subroutine in the database, the subroutine is executed.
The SAML Auth agent redirects the client to the SAML IdP using APM's SAML
authentication request (authN), and the IdP authenticates the client. Authentication failures
are logged as errors.
The client is redirected back to APM with the SAML assertion.
The SAML Auth agent validates the assertion, sends the client to the SAML Auth Passed branch,
and on to the Allow ending.
APM caches the subroutine data including the SAML response in the database as
subsession variables. Additional requests from this client can proceed without additional
authentication for the duration of the subsession.