After successfully validating the remember-me cookie, the user's session is granted the user's roles (+ optionally some statically configured roles).
This may give the user access to some applications but not all. If step-up authentication is configured to access other applications, this results in the following use case:
- User is automatically logged in and can access some applications, say A and B (but not C).
- When trying to access application C, strong authentication is required
- Step-up Authentication ensures that the user only has to enter the second factor (e.g. SMS OTP or challenge response).