The federation engine will need an authentication and authorization mechanism. The best approach would be to use JBoss Security for both, since that's being used within more and more JBoss projects. (There is also interest in using JBoss DNA as a persistence and possibly identity federation mechanism for JBoss Security.)