In CXF 2.5.1, we are trying to implement a scenario similar to the Broker Trust STS scenario from Metro ( http://metro.java.net/2.1.1/guide/Example_Applications.html#ahiex) using CXF STS.
We had several questions: 1. Does the CXF STS support multiple security policy alternatives, where the STS from a domain A, can be called with either a username token, or a SAML token issued by STS from domain B? The SAML STS will handle either call depending from which domain it is called. If the STS is called from the same domain, it will get a username token, whereas if it is called from another trusted domain, it will get a SAML token issued by a trusted STS from the other domain. 2. Is this scenario commonly used? Or is this type of a configuration not typically used. All examples we ran across, the STS was configured with just a single policy alternative. For example, in NetBeans, the Metro wizard seems to support only one security mechanism for a service. 3. If the STS is configured to require a SAML token for authentication, how is the SAML validation performed, and is there a way to configure a custom handler to validate the incoming SAML assertion, before issuing the STS SAML assertion? Any help is appreciated. Thanks Sunil.
