Thank you for the detailed explanation. There is one thing that is still not clear to me: when validating a token, how does it know which partner issued the token? There is a "issuer" element in the SAML xml (in my demo, the token shows Issuer="ssodemo:site1"). But this issuer value is what I specified in the context.xml file: | <Valve className="org.jboss.security.valve.SSOTokenManager" assertingParty="ssodemo:site1" /> | And this value would not be visible to the federate server... View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4163745#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...