When a user accesses a resource of a specific application, there is two-stage verification in order to allow this action:
- Authentication - to identify who the user is and whether the user session may be used with this specific application
- Authorization - to check whether the authenticated user has access to a specific resource of the application
When creating a user session, each login request is processed in the context of a specific application, called authenticating application.
Every resource identifies itself as belonging to a specific application for authentication purposes. Like in the screenshot above, a report will be authenticating against the CRM application .
Authentication against an application implies that a user must be granted access to this application either directly or via user groups or application roles, of which the user is a member, which in turn are configured to access the application.
Upon successful authentication against a specific application, UnifiedLogon creates both a global user session, which may be used to access other applications, and the application-specific user session, which handles session timeout independently from other applications. Each application may have a different session timeout - more sensitive applications may be configured with shorter user session timeouts, while general purpose applications could have a longer session timeout.
A user may create a session in the context of one applications and use the same session to start activity in another application, provided that the user has access to this application.