My client has a requirement for SSO to be incorporated into an application we are developing for them.
Originally we decided to use the Federated SSO solution from JBoss. From looking at this further though, it seems that this might be unnecessary as we are not looking for cross domain authentication. Also, we are using one central datastore for authenticating users.
So instead, we are thinking of using the SSO valve provided by JBoss web: org.jboss.web.tomcat.service.sso.ClusteredSingleSignOn as our means of providing SSO.
Can anyone tell me what exactly extra Federated SSO adds? And if there are any security implications of removing Federated SSO and relying on the valve?