Hi,

My client has a requirement for SSO to be incorporated into an application we are developing for them.

Originally we decided to use the Federated SSO solution from JBoss. From looking at this further though, it seems that this might be unnecessary as we are not looking for cross domain authentication. Also, we are using one central datastore for authenticating users.

So instead, we are thinking of using the SSO valve provided by JBoss web:
org.jboss.web.tomcat.service.sso.ClusteredSingleSignOn as our means of providing SSO.

Can anyone tell me what exactly extra Federated SSO adds?
And if there are any security implications of removing Federated SSO and relying on the valve?

Also, is ClusteredSingleSignOn sufficient in securing your applications and providing SSO functionality in my applications?

I am pretty sure it is but I just need to satisfy the questions posed by the client!


Thanks for your help,
John