The authentication process
The process of authentication depends on the methodology used.
On user/password authentication a user browsers anonymously until he logs in to an OpenWGA domain. If his browser tries to access a database that is not open for anonymous users it is redirected to the OpenWGA login page. There he can provide his user/password credentials for the domain that the addressed database is contained in. The credentials are then verified. If they are correct OpenWGA will store them for the rest of the browser session to keep the user logged in that domain.
A user being logged in to a domain does not automatically have access to all domain resources. It does just mean that the user has been identified for this domain and that authorisation rights can now be determined. It may still be possible that all databases of that domains do not allow the user any access.
On client certificate authentication the process is more transparent and may need no actual user interaction. When the browser accesses an OpenWGA site that is configured for certificate authentication it will ask the browser to provide an authentication certificate certified against a special CA. These are normally registered inside the browsers configuration and can be provided automatically, although some browsers will ask you which certificate to provide. From there on the browser will automatically provide certificate information and the user will instantly be logged in.