There are two ways that you can use the SP to protect content:
Actively, by intercepting requests for particular resources and ensuring that a valid, authenticated session exists between the user agent and the SP software before passing along the request
Passively, by publishing information about valid, authenticated sessions through CGI variables, but passing unauthenticated requests through unmolested
In both cases, the information about the session supplied by the SP is provided uniformly so that applications can be programmed to respond dynamically based on the information. The AttributeAccess topic describes this mechanism in detail.