Hi there The STSTokenValidator is used to validate incoming credentials (ex. username/password) against the STS. The STSTokenValidator can be used for authentication for web services as well a REST services.
REST security is already very enhanced to support claims based access control which requires that the service provider knows the user claims like from a SAML token. This could also be achieved for incoming username/passwords by issuing a SAML token with a configurable list of claims. The STSTokenValidator uses the STS validate binding which doesn't support to validate a token and provide additional claims in the returned SAML token. There are two options: 1) Make the binding configurable in the STSTokenValidator (validate/issue) and configure the list of claims, appliesto element, lifetime etc. for the issue use case 2) Enhance the validate binding use case on the STS and in the STSTokenValidator to configure the list of claims, appliesto element, lifetime etc. WDYT? Thanks Oli ------ Oliver Wulff Blog: http://owulff.blogspot.com<http://owulff.blogspot.com/> Solution Architect http://coders.talend.com <http://coders.talend.com>Talend Application Integration Division http://www.talend.com
