All I get now is the X500Principal of the https token. My policy is below. I am relying on the RequireClientCertificate to have the saml token "signed" and thus I would have expected it to be present in the security context. I am at a loss as to why something like this could change between point releases.
<!-- 2.3.1.1 (WSS1.0) SAML1.1 Assertion (Bearer) --> <wsp:Policy wsu:Id="TLSBearerPolicy" xmlns:wsp="http://www.w3.org/ns/ws-policy" xmlns:wsu=" http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd " xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"> <wsp:All> <sp:TransportBinding> <wsp:Policy> <sp:TransportToken> <wsp:Policy> <sp:HttpsToken> <wsp:Policy> <sp:RequireClientCertificate/> </wsp:Policy> </sp:HttpsToken> </wsp:Policy> </sp:TransportToken> <sp:AlgorithmSuite> <wsp:Policy> <sp:Basic128 /> </wsp:Policy> </sp:AlgorithmSuite> <sp:Layout> <wsp:Policy> <sp:Strict /> </wsp:Policy> </sp:Layout> <sp:IncludeTimestamp /> </wsp:Policy> </sp:TransportBinding> <sp:SignedSupportingTokens> <wsp:Policy> <sp:SamlToken sp:IncludeToken=" http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient "> <wsp:Policy> <sp:WssSamlV11Token11/> </wsp:Policy> </sp:SamlToken> </wsp:Policy> </sp:SignedSupportingTokens> </wsp:All> </wsp:Policy>