Also to add to the logic behind Identity Manager abstraction. Not all Federation setups can have partners sharing the same Identity Store. Typical examples being, legacy applications that are islands in themselves, or integration with external systems like business partners etc. In that case each one can have their own implementation of LoginProvider hooking into their respective store, but still be able to perform SSO with each other. Ofcourse, ideal setup is when all partners share the data store. For this requirement one of our roadmap items is Federated Provisioning so that Identity data can be synched between partners that don't share the same Identity Store. I have looked at SSO systems that absolutely require you to share the same Identity Server to the point that they even have to share the same login screen. That architecture is a bit primitive now ;) Can you imagine telling someone like SalesForce.com to share your login screen to enable SSO ;) View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3982544#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...