3.3.5.1.1 Protocol Activation

When a relying party is factored into resource IP/STS and WS resource components, the protocol is triggered differently for the components. For the WS resource component, the protocol is triggered when a web browser requestor attempts to access a WS resource that requires users to be authenticated and an Authentication Context does not exist for the user. For the resource IP/STS component, the protocol is triggered by receipt of a user authentication request from the WS resource component. If the components are located on separate servers, the WS resource MUST redirect the web browser requestor to the resource IP/STS to deliver the security token request. How user authentication requests are communicated between the components of a relying party is implementation-specific and not addressed in this protocol.<73>