When a user has authenticated to a site or application, the user has access to a resource controlled by a Policy Enforcement Point (PEP). The PEP checks for user access to the desired resource. The user is either granted or denied access to the resource. SAML is used as the communication mechanism between the PEP and a Policy Decision Point (PDP). In NetIQ product terminology, a PEP could be thought of as the NetIQ Access Gateway, and the PDP as the NetIQ Identity Server.