All operations described in this section must be invoked on 3 and 4 steps of the principal authentication. If a principal does not have an opened a session with the SP which resources he or she wants to retrive, the "challenging for credentials" operation is called. If the operation succeeds, the session is created. If the session is created, and the principal has several local accounts that are permitted to access the resource, the "selecting local account" operation is called.
For details on the authentication, see the Authentication in IdP section.