Access Gateway sequence flows

Requests are routed through Okta, Access Gateway and customer applications in a given order, creating a variety of artifacts such as Okta, Access Gateway and application session.  The following diagrams represent the most common sequence flows as well as an overview of service provider and identify provider flows

Sequence diagrams

Sequence Description
Not protected
No session
Describes the sequence of activities which occur when a user attempts to access a non-protected web resource, in a known application, where no existing Access Gateway session exists
Not protected
With session
Describes the sequence of activities which occur when a user attempts to access a non-protected web resource, in a known application, where an existing Access Gateway already session exists.
Protected
No session
Describes the sequence of activities which occur when a user attempts to access a protected web resource, in a known application, where no existing Access Gateway session exists.
Protected
With session
Describes the sequence of activities which occur when a user attempts to access a protected web resource, in a known application, where an existing Access Gateway session already exists.

The not protected resource, with no session sequence is common with Customer identity access management (CIAM) applications. This sequence represents a request for a non-protected, or public, resource where no existing Access Gateway session exists.

Diagram

Events

Step

Description

1

User signs into Okta.

2

Access Gateway checks for session, no session exists.

3

Access Gateway checks if resource is protected.

4

Access Gateway forwards required to application.
Note that since there is no session no headers can be provided on forward.

5

Application returns response to Access Gateway.

 

Access Gateway redirects response to User.

The not protected resource, with session represents a request for a non-protected, or public, resource where a Access Gateway session already exists.

Diagram

Events

Step

Description

1

User signs into Okta.

2

Access Gateway checks for session, uses existing session.

3

Access Gateway checks if resource is protected.

4

Access Gateway forwards required to application.
Since session exists headers are provided on forward.

5

Application returns response to Access Gateway.

6

Access Gateway redirects response to User.

The protected resource, without session represents a request for a standard protected resource where Access Gateway and no session exists.

Diagram

Events

Step

Description

1

User signs into Okta.

2

Access Gateway checks for session.

3

Access Gateway checks if resource is protected.

4

Access Gateway makes a SAML authentication request to the users browser.

5

Okta request login.

6

User sends credentials and other MFA as required to Okta.

7

Okta returns SAML assertion to browser.

8

Browser forwards request with SAML assertion.

9

Access Gateway creates session for application.

10

Access Gateway evaluates request in the context of any associated policy

11

Access Gateway forwards request with all defined headers to application.

12

Application returns request to Access Gateway.

13

Access Gateway rewrites and returns response to User.

The protected resource, with session represents a request for a standard protected resource where an Access Gateway session already exists.

Diagram

Events

Step

Description

1

User requests resource.

2

Access Gateway checks for session.
Session exists for requested application.

3

Access Gateway checks if resource is protected.

4

Access Gateway evaluates timeouts and behaves as defined by Application session timeout interaction.

5

Access Gateway evaluates request in the context of any associated policy

6

Access Gateway forwards request with all defined headers to application.

7

Application returns request to Access Gateway.

8

Access Gateway rewrites and returns response to User.

Related topics

Reference architectures

About Access Gateway DNS use

About Access Gateway high availability

About Access Gateway prerequisites