Web browser user makes an initial attempt to connect to the destination site, without presenting a valid login ticket.

The Authentication request. The destination redirects the user to the WIND Login URI. An extra parameter included in the request indicates where the user should be redirected to, after successful authentication.

The user logs in to WIND on Columbia's secure server.

The user is redirected back to the specified destination URI. This time, a valid single-use authentication ticket is included as a parameter.

The Validation Request. The destination site sends a request to the WIND server to validate the authentication ticket being presented.

The WIND server sends back a yes/no response. Tickets are "single-use": the WIND server will only return yes once for a given ticket.

If the response is yes, the destination site can assume successful authentication has occurred. The destination site may use its own method of establishing a session.