The user calls the target application (=Serivce Provider).
The target application forwards the user's browser to eIAM for the purpose of authenticating the user.
eIAM now forwards the user's browser to an identity provider (IdP) on which the user logs in.
An authentication token is now passed to the user's browser if successful and the browser is routed back to the target application via eIAM.
On this way, the original authentication token of the identity provider of eIAM is exchanged by an eIAM authentication token, enriched with data from the user's root account eIAMs in root clients as well as the user record in the eIAM access client.
The target application now evaluates the eIAM authentication token and acts on its contents and meaning.
