My question is not about the initial signon or federation. I'd like to understand that once a user is already logged in (federation or not), how the subsequent requests are validated. I can see that there are two such models out there:
1. Security reverse proxy, that is, the traffic between a browser and the application that the browser attempts to access passes through this reverse proxy everytime. The reverse proxy checks the user cookie against the policies it manages to determine what resources or access levels the request can have. For example, IBM WebSEAL, OpenAM, UAG work this way.
2. Redirects to applications. That is, once the security module authenticates a login, it redirects to the application that users wants to access with security token. Browser and the application communicates directly, and the application is responsible checking cookie and determining the user authorization to resources within the application itself.
Which one of these authentication model does Office 365/SharePoint Online implements? Or is it something else?
Thanks a lot
Bob