Novell ACCESS MANAGER 3.1 SP2 - ACCESS GATEWAY GUIDE 2010 Manual page 260

If the request is a cookie broker reply, the Access Gateway strips the cookie from the URL and
redirects the request to the URL. The redirect is handled as a new request, and this new request
flows to the task in decision point 6, where the URL is examined.
If the request isn't a cookie broker reply, the Access Gateway examines the request to see if it is a
cookie broker request. If it is a cookie broker request, the Access Gateway determines whether the
user is authenticated with the contract required by the protected resource.
If the user is authenticated, the Access Gateway creates a cookie broker reply. This reply is
handled as a new request, and flows to the task in decision point 4.
If the user is not authenticated, the request is redirected to the Embedded Service Provider
(ESP). The ESP interacts with the Identity Server to authenticate the user. The Identity Server,
the ESP, and the reverse proxy all maintain authentication information. The ESP returns a new
request, which flows to the task in decision point 6, where the URL is examined.
If the URL does not match a URL of a protected resource (PR), the Access Gateway returns an
HTTP 403 error to the user.
If the URL in the request matches a URL of a protected resource, the Access Gateway needs to
examine the protection type assigned to the resource. The Access Gateway continues with the tasks
outlined in
260 Novell Access Manager 3.1 SP2 Access Gateway Guide
Figure 8-6 on page 261.