Yes this flow of events is correct Just to elaborate: anonymous wrote : | 3. The federation server at site2 validates the SAML token and setups the authentication status at site2 using the username presented in the SAML token. | the SAML token validation between site2 and site1 involves a Trust callback between the federation servers of site1 and site2. anonymous wrote : | And how is the token validated when a 3rd party federation server is involved? | The protocol/communication mechanism for the Trust callback is pluggable using a component called TrustPlugin, with the JBossSSOTrustPlugin shipping out-of-the-box To support thirdparty Federation servers, you just need to create a TrustPlugin for that and plug it in. btw- this functionality is not included in the CR1 release. Its currently implemented on the trunk, and will be part of the next release Thanks View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4163641#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...