--- title: WAM session initiation description: When a user authenticates, PingAccess applies your configured application and resource-level policies to the Web Access Management (WAM) request. component: pingaccess version: 8.3 page_id: pingaccess:introduction_to_pingaccess:pa_wam_session_initiation canonical_url: https://docs.pingidentity.com/pingaccess/8.3/introduction_to_pingaccess/pa_wam_session_initiation.html revdate: July 26, 2023 --- # WAM session initiation When a user authenticates, PingAccess applies your configured application and resource-level policies to the Web Access Management (WAM) request. After completing policy evaluation and determining that the authenticated user should be granted access to a site, PingAccess performs any required token mediation between the backend site and the authenticated user. PingAccess then grants the user access to the site. Diagram illustrating the WAM flow between and . > **Collapse: Processing steps:** > > 1. When a user requests access to a web resource from PingAccess, PingAccess inspects the request for a PingAccess token. > > 2. If the PingAccess token is missing, PingAccess redirects the user to an OpenID Provider (OP) *(tooltip: \
> \

In OAuth terms, an authorization server (AS). The OP/AS issues access tokens to protected resources for approved clients (relying parties). The clients use the access token to access the protected resources hosted by the OAuth resource server.\

> \
)* for authentication. > > | | | > | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | > | | When using an OP, you must already have an OAuth client *(tooltip: \
\

The application in an OAuth framework that requests access to resources. If the request is approved by the authorization server, the client is issued an access token for the resources.\

\
)* configured in PingAccess.- For information on configuring an OAuth client within PingFederate, see [Configure PingFederate as the token provider for PingAccess](../token_providers/pa_configure_pf_as_the_token_provider_for_pa.html) and the [Administrator's Reference Guide](https://docs.pingidentity.com/pingfederate/latest/administrators_reference_guide/pf_administrators_reference_guide.html) in the PingFederate documentation. > > - To configure the OAuth client within PingAccess, see [Connect PingAccess to PingFederate](../token_providers/pa_connect_pa_to_pf.html). | > > 3. The OP follows the appropriate authentication process, evaluates domain-level policies, and issues an OIDC ID token to PingAccess. > > 4. PingAccess validates the ID token and issues a PingAccess token and sends it to the browser in a cookie during a redirect to the original target resource. > > After gaining access to the resource, PingAccess evaluates application and resource-level policies and can optionally audit the request. > > | | | > | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | > | | PingAccess can perform token mediation by exchanging the PingAccess token for the appropriate security token from the PingFederate Security Token Service (STS) *(tooltip: \
\

An entity responsible for responding to WS-Trust requests for validation and issuance of security tokens used for SSO authentication to web services.\

\
)* or from a cache if token mediation occurred recently. | > > 5. PingAccess forwards the request to the target site. > > 6. PingAccess processes the response from the site to the browser (step not pictured). > > | | | > | - | ---------------------------------------------------------------------------------------------------------------------------------------------- | > | | For more information, see the [Session management configuration](../configuring_and_customizing_pingaccess/pa_session_management_config.html). |