Hi Oliver, Thanks for good tips.
<<< You can configure one fediz configuration file per application and point to it where the FederationAuthenticator is configured or you have one fediz configuration file for the container with several "contextConfig" entries. >>> I didn't know that fediz configuration can hold more than one "conextConfig" entries. <<<< I'd just recommend to not put the clientstore.jks into the WAR file for production as the certificate has a different lifecycle than the application itself. You shouldn't have to deploy a new application war just because a new certificate has to be deployed >>>> I see problems with deploying war file. In my case, we use installer to deploy application. So, I moved client keystore file to myApp/WEB-INF. I use one clientstore.jks for both passive and active profile client. Gina
