As stated on issue http://jira.jboss.com/jira/browse/JBAS-4424, the org.jboss.web.tomcat.security.login.WebAuthentication class should be capable of generating a ssoid and setting it on the session when the user has configured the SingleSignOn valve. The idea is to get a reference to the SingleSignOn valve and invoke its methods to associate the authenticated Principal to the ssoid, just like the AuthenticatorBase does. However, the methods that we need to call are protected (register, associate, update, etc), so we can't simply delegate the SSO functionality to the SingleSignOn valve unless we relax the method's access to public in JBossWeb. Can we do that? View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4094309#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...