Hi, > No. You should be running through your authorisation policies on > session resumption. All policies should be moved to the post-auth > section of the outer server. but only the inner server knows the real id etc ? alan