A trust decision can involve outside server calls, the same as an authentication decision, but the context is likely missing proof of identity. Rather there is a statement of identity and maybe some attributes along with it. SSO is really a trust decision as opposed to an authentication. Maybe there can be a single trust/authentication spi. Flesh it out with some mocked up test cases of usage we need to support. View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3968519#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...