This is not something that happens every request. It happens when you make a decision to trust an external identity provider so it is a relatively rare event. The key word here is "external". For example, suppose you decide to trust a third party STS to issue SAML tokens that you can use for web service auth.
Let me make this more concrete. Somewhere in an org an STS exists that is plugged into an existing identity and attribute store. You want to use tokens issued by that service to authenticate web service calls. However, the most popular use case for SAML data is to establish trust between identity provider and service provider when setting up SAML SSO. -- View this message in context: http://cxf.547215.n5.nabble.com/SAML-metadata-tp5723816p5724196.html Sent from the cxf-user mailing list archive at Nabble.com.
