I want to understand how the JBoss SSO SAML token is validated 1. between JBoss federation servers? 2. with a 3rd party federation server? With some testing, I think how it works between JBoss federation servers, when authenticated at sso site1 and try to access sso site2, is: 1. With the help of the HTTP "Referer" header, when sso site2 is accessed, the sso tomcat valve at site2 posts back to the "/federate/" servlet at site1, including the "target" URL the user attempts to access. 2. The "/federate/" servlet have access to the SAML token at site1 because the browser sends it to the site1 in cookie. It then posts this SAML token to the "/federate/" servlet at site2, together with the "target" URL the users attempts to access. 3. The federation server at site2 validates the SAML token and setups the authentication status at site2 using the username presented in the SAML token. 4. It also returns the "Set-Cookie" header to the browser so the token is sent to the site2 from now on. Is this observation correct? And how is the token validated when a 3rd party federation server is involved? Thanks, View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4163445#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...