"beve" wrote : Just to avoid any confusion that here.... The validation is only performed through the JBossSTSLoginModule which is a JAAS Login module. | And the JBossSTSAction only performs issue request to JBossSTS and does not have methods for validating a security token. | | Sorry if this was already understood. | | /Dan Dan, I think that strategy is correct. Validation has to happen through pluggable login modules. Toward this, the STS login module seems appropriate. When the ESB layer has to generate SAML tokens, it needs to contact the STS. Hence it needs some integration logic (satisfied by the STS Action). View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=4261281#... Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&a...