Hi,

I try to install an OpenSSO infrastructure to do SSO for a Spring app and a PHP (MODx CMS) app. I am not really familiar with SAML and OpenSSO workflow.
The Spring apps (depoloyed in Tomcat) was so far securized by Spring Security 3.0 with login form.

If I undrestand well I have 2 options to integrate it with OpenSSO :
1- use the default Tomcat policy agent
2- use the Spring Security extension made by Vladimir Schafer.

What are the advantages and differences of the 2 approaches ?

My goal is :
1- to have both apps redirect the user to OpenSSO login page when not authenticate
2- create user session on the app that requesting the authentification after OpenSSO authenticate the user
3- Retrieve specific user settings depending of the app requesting the authentification, in particular roles of the user
5- authorize access to ressources in my Spring app depending on role of the user (at the class and method level, not only URL)
6- Single Sign Out

Another questions : after authentification, does the app server request confirmation to OpenSSO server each time the user try to access a ressource (which could be a network bottleneck), or does it create a valid session and cookie and suppose the user is still logged (how single sign out can work in that case) ?

Thansks for your advices.