I looked into this today, and fortunately a patch is not required. You need to modify the following setting in the Passive STS web.config file,
<add key="EncryptingCertificateName" value="" /> If you specify a blank value in that setting, the passive STS will not encrypt the issue token. Regards, Pablo. -----Original Message----- From: Chintana Wilamuna [mailto:chinta...@gmail.com] Sent: Thursday, October 22, 2009 2:50 PM To: Pablo Cibraro Cc: stonehenge-dev@incubator.apache.org Subject: Re: Token returned by the .Net passive STS Pablo Cibraro wrote: > not sure how the rest of the implementations are doing. Can that be > done in WSO2 identity server ?. It seems that it cannot be done with the latest version of the Identity Server. Since the spec doesn't mandate it, there's no easy way to do it. Is it possible not to encrypt the token? If the token is encrypted there's no way to get the DOTNET_CLIENT -> WSAS_BS scenario working. Bye, -Chintana -- http://engwar.com