While working on a demo of JBoss Portal I found that while the portal can use several common open source web access managers, they're all "hardcoded" in.  There's no generic support for external tokens without custom code.  Since most web access managers can generate a header, this is the easiest way to get integrated.  I wrote a module on github at mlbiam/jbossportal-sso-header · GitHub that lets you trust any header to have the username.  Apache 2.0 license if anyone would like to use it.