Howto tell difference between subjects, sessions and principals

Many Access Manager statistics screens include information about user sessions, subjects and principals. For example, when enabling IDP logging on the Identity Server, the option exists to enable Statistics. When this statistics based logging is enabled, the catalina.out file on both the Identity (IDP) and Access Gateway (LAG) servers will log details about how many user sessions exist on that host, how many subject along with the number of principals. A snippet of the Statistics output is shown below:

<amLogEntry> 2010-12-08T17:50:55Z VERBOSE NIDS Statistics:
NIDPMonitor: Tick: 2
  System Status
   Initialization State: Started
   Total Sessions: 19
   Total Subjects: 11
   Total Principals: 29
   System Memory
    Free Memory: 8.8934854E8
    Total Memory: 1.03795917E9
    Percent Free: 85.68242

A session indicates the total number of tomcat sessions into that host (accessing either the IDP or the ESP (on the LAG)). When a user accesses the IDP or ESP, and gets a JSESSIONID cookie assigned, then this is the equivalent of a session. Opening a second browser on the same host and accessing the same service with generate a second JSESSIONID, and increment the session count.

A subject is a unique identifier for the user that has logged in. If a user logs in with the same unique userID from multiple different hosts or browsers on the same host, a single subject will be created and not multiple.

A principal indicates how many federated identities exist for each authenticated subject on that host. If multiple users have SAML federations with multiple SAML service providers, the principal count will indicate the number of federated identities for all subjects on the host.

Looking at a practical example: Assuming no users have accessed the Access Manager setup. The first user logs in and we monitor the statistics on the IDP server .. we will see