Hi All, I think we should continue the other thread on "Credential API design". It just shows how we all agree to disagree. :) I suggest the following: a) IDM Subsystem should concentrate on Identity constructs (User,Role,Group,Attribute,Application,Tier etc) and stores (db,ldap etc). b) Lets move authentication and credential handling to a layer above IDM. Maybe PL Authentication subsystem. We did do some implementation in PicketBox5 that we used password credential, otp, social, kerberos etc etc with one authentication logic. We can take a look at that. c) Lets document all the credential types and usecases we plan to support. I know we want to do combined authentication, silent authentication, digest, salt/hash, multiple channels etc etc. c) is going to be the most contentious piece of the puzzle that the industry is still not solved. Given that authentication semantics compared to fine grained authorization are finite, we should have solved this easily. Regards, Anil