anonymous wrote : Can someone please explain why it was decided to write an action to do this rather than use the LoginContext/LoginModule approach? Is there any technical reason why that would not work with SAML? I can't really say that this was a technical reason for this. It just seemed appropriate that the LoginModule should only do one thing and that was to validate an existing token from a calling client. The client would have somehow called an STS to have a security token issued for the target service. And if the client was the ESB itself it could use the action to have a security token issued for an endpoint that it is going to call. anonymous wrote : From what I understand, the SAML token is just another credential and it seems to make more sense for this to be handled indirectly, through javax.security, rather than through direct integration. Sorry, I'm not following your suggested solution here. Could you expand on what you mean for this to be handled indirectly with javax.security. Thanks, /Dan View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=4261257#... Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&a...