The following steps form a very general and high-level guide to determine what approach is best for you.
Determine if an OpenSSO Enterprise Policy Agent is available for the container or application you want to use.
Determine if the proxy OpenSSO Enterprise Policy Agent is usable in front of the application.
Determine if the application or container plug-ins that externalizes security (independent of the application business logic) are available and pluggable. Consider using the Client SDK to implement these plug-ins. This is how an OpenSSO Enterprise policy agent typically starts out.
Determine if a signed and encrypted query, post, or XML API is applicable.
Determine if you need to embed the Client SDK in your application or container. The obvious example is when “no” is the answer in the all of the four previous steps. You may still need to use this approach if certain functionality is not supplied by an available policy agent. An example is when you must use fine-grained, application-specific policies.
Consider using Server SPIs to customize the OpenSSO Enterprise server behavior to your needs.