Describes a process where the ESM reads and processes information from a user's login request with ESA.

1. ESM checks if the userPrincipal name from request is NULL. If it's NULL, the ESM rejects login.

2. Next ESM reads the esm_userLevel from request. If it's NOACCESS, the ESM rejects login. Userlevel is coming from ESA, it can be missing if not in use. Then this step is skipped. ESA is sending UserLevel as Normal, Root or NOACCESS. 

3. If the user (NOT Person) with the same principal name already exists, the ESM proceeds to check if the ‘servlet.auth.create.users’ flag is set to FALSE. If it is, and user is not found the ESM rejects the login.

4. If the User is not found, ESM tries to create it if the ‘servlet.auth.create.users’ flag is set to TRUE. It checks for the matching person (by principal name) and creates a User data card if none is found. If the user creation encounters any errors or duplicates with the same name, the ESM rejects the login.

5. The ESM confirms that User and Person are connected through a property 'servlet.auth.person.user.attribute.code' (default value: efecte_user). If there is no User in that reference, the ESM rejects the login.

6. If there are any problems creating The User, the ESM rejects login. However, it checks if user was created/edited by the installer/administrator.

7. If the Person that should be linked to a User is NOT present, the ESM tries to create a Person data card and link it to the User.

8. The ESM tries to read the user level from request (if present in SAML message). If there is still no Person created, the ESM assigns READONLY level automatically. Otherwise the ESM iterates over the groups assigned to the Person (property name is set in 'servlet.auth.person.groups.attribute.code', default value: “groups”).

• If one of the groups is equal to ‘servlet.auth.admin.ad.group’ (default value: "Efecte Administrator"), the ESM gives ROOT level access
• If one of the groups is equal to ‘servlet.auth.user.ad.group’ (default value: "Efecte User"), the ESM gives NORMAL level
• Otherwise, the ESM gives READONLY level

9. If there was any 'esm_userLevel' sent in the request, the ESM tries to assign roles to the User. ESM reads 'roles' SAML property and tries to add each role to the User (separated by semicolon).

10. Finally the ESM acts differently according to the User level set previously.

• If the User level was set to NORMAL or ROOT, and the User was actually created during the request handling, and there was no 'esm_userLevel' sent in the SAML message, the ESM will try to assign that User default role, set with System property: ‘servlet.auth.user.roles’ (default value: Support person).
• If the User level was set to READONLY and 'esm_userLevel' was NOT sent with SAML message, the ESM will try to add 'servlet.auth.user.readonly.roles' roles to that User