Ricky Ho asked: > Can I use SAML for just Authorization Authority ? Yes. You need to send your authorization authority certain information so that it can make a decision: some authentication information and some information that identifies the resource being accessed. Although I suspect that most people envision using a SAML authentication assertion to represent the authentication information, you don't have to. You could send a Kerberos ticket or an X.509 certificate or some other authentication information. It depends on what authentication information your authorization authority requires.
> You also don't have to use JAAS. Any proprietary API would work also. True. But if you're working with Java, JAAS provides easy access to your existing security infrastructure.
