I have read some articles about SAML and found it complex If I got what I read then to implement SAML you need some assertion authority (AA) server accessable by all servers in your domain. This AA server provides to all servers information about current rights and permisson of some user(object) in your domain. If some server has auhenticated some user it should notice AA about the fact of authentication But it from my point of view should add digital signature to the message because other way AA could not trust to this information. When some server in the domain requires information about the user initiated the request he can access the AA in order to get information about rights and permissions. If user has been already authenticated by some server in your domain then other server should take for granted that user is part of the domain. Correct me If I am wrong Everything is looking fine but it does not solve problems 1. If some malefactor sent forged request to some server in the domain using id of the authenticated user we have no chances to verify a user identity. Ok we have assertion that this user was authenticated but how to check that this particular message came from the user but not from somebody else. Assertion itself does not help me to do it. 2. Case when I redirect request from one server to another is also confusing me. What is a redirection when we speak about WS ? How can I change original user message if it was signed by digital signature in order to add some assertion reference to it. If I want to create a new message and send it again. I don't need any assertion reference. I just create a new message, sign it by my digital signature and send it to the destination server. 3. Assume that some user is sending successive requests to different servers in the domain. I am not sure that there is a way to attach some security assertion to its message - everything should be coded by a developer. Even if we can get from authentification server some assertion reference and then attach it to the message , server could not relay on it because message with assertion could came from anywhere and there is no warranty that the user is the person it claims it is. But probably somebody tried SAML in production and can provide some practical recomendation that can clear these obstacles?