A security provider verifies the identities of application users and administrators who request access via one or more configured login modules.
Device user authentication and administrator authentication are configured differently:
An authentication request with username/password or certificate credentials for a specific domain always results in looking up an existing authenticated session in the cache that used the same credentials. If one is found, the session is reused instead of delegating the authentication request to the configured security backend. This is the case even if any of the information from the client session is used to authenticate the user instead of the presented username/password or certificate credentials.
If an existing authenticated session is found in the cache with the same credentials, then the user is not authenticated again against the configured security backend even if the cached session was authenticated based on an http header/cookie/personalization value and the new authentication request contains a different value for that parameter.