It is just one of the use cases possible. It should be pretty straight forward to implement this use case as a valve/servlet filter and tie it with the container security. The question would be what trust information gets associated with the user name that floated in? Maybe the digital signature of the sender with whom the IDP has trust relationship..... View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=4216383#... Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&a...