It would appear that the STS client is not properly copying the sp:RequestSecurityTokenTemplate contents into the wst:RequestSecurityToken element.
Per the WS-SP 1.2 spec, section 5.4.2, "This required element contains elements which MUST be copied into the wst:SecondaryParameters of the RST request sent to the specified issuer. Note: the initiator is not required to understand the contents of this element." The STS client copies these values directly into the body of the wst:RequestSecurityToken element in the request to the STS. So this policy: <sp:IssuedToken sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/I ncludeToken/Always"> <sp:RequestSecurityTokenTemplate> <wst:TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1 .1#SAMLV1.1</wst:TokenType> <wst:AppliesTo> <wsp:URI>service-1</wsp:URI> </wst:AppliesTo> <wst:Participants> <wst:Participant> <wsp:URI>service-1</wsp:URI> </wst:Participant> </wst:Participants> <wst:KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/PublicKey</wst :KeyType> </sp:RequestSecurityTokenTemplate> </sp:IssuedToken> Becomes this request: <wst:RequestSecurityToken> ... <wst:TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1 .1#SAMLV1.1</wst:TokenType> <wst:AppliesTo> <wsp:URI>service-1</wsp:URI> </wst:AppliesTo> <wst:Participants> <wst:Participant> <wsp:URI>service-1</wsp:URI> </wst:Participant> </wst:Participants> <wst:KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/PublicKey</wst :KeyType> ... </wst:RequestSecurityToken> Instead of: <wst:RequestSecurityToken> ... <wst:SecondaryParameters> <wst:TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1 .1#SAMLV1.1</wst:TokenType> <wst:AppliesTo> <wsp:URI>service-1</wsp:URI> </wst:AppliesTo> <wst:Participants> <wst:Participant> <wsp:URI>service-1</wsp:URI> </wst:Participant> </wst:Participants> <wst:KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/PublicKey</wst :KeyType> </wst:SecondaryParameters> ... </wst:RequestSecurityToken> Before I create an issue report and patch, I wanted to know if there is another usage of the code (Secure Conversation, specific STS implementation, Specific spec version, etc.) that would dictate that this copying occur as it does now. I don't see any unit or systests that cover this code.
