How double authentication works

The process of double authentication is as follows:

1. After the first level of authentication, the user's browser sends a reauthentication request to  URL.

2. An  () agent redirects the user to the  server URL for reauthentication.

   For SAML authentication,  redirects the user to the SAML IdP for reauthentication. If the SAML IdP supports the ForceAuthn feature on an authentication request, the IdP requests the user for reauthentication.

   The  agent identifies a reauthentication request by the query parameter reauth, which is set to true by default. For a reauthentication request, the agent identifies the  server and the application realm the same way that the agent identifies these for any other authentication request. 

3. For  authentication, the  server prompts the user to confirm the password.
   For SAML authentication, the IdP prompts the user for both username and password. If the authentication is successful, the IdP redirects the user back to the  server with a SAML response. The   server checks whether the user in the SAML response is the same user who is currently logged in to . If they are not the same user, the reauthentication fails.
4. If the reauthentication process is successful, the  server generates a reauthentication token and redirects the user to the  URL. 
   The reauthentication token is valid only for a short period and is specific only to the reauthentication process. It cannot be used for the usual authentication process.
5. The  agent retrieves the reauthentication token and passes it on to  servlet.
6. The  servlet retrieves the reauthentication token and passes it on to the  as an authentication string.
7.  verifies the user's credential, user name, and reauthentication token through the  AREA plugin.
8. The  AREA plugin verifies the reauthentication token through an API call to the  server.