WSS4J may have some stuff that you can use, but you also could also handle this directly with JAX-B. Both are probably some effort though. I guess that the low level details as to how to do the above are really probably what you are looking for but maybe some background on the higher level flow (most of which is token type independent) may be of some use.
--- After doing your issue request to the STS and extracting the SAML token from the RSTR then you potentially could develop a simple credentials model that maintains the "currency" or outbound applicability of this token credential. An appropriate out interceptor could be developed that would query this current credentials interface and then generate the appropriate WSS SAML token profile data on the way out. There is a slightly different flow for an initiating client that is invoking the issue binding as a SSO client Login, and for a target server that is doing an issueBinding on behalf of a client that has not previously obtained a SAML SSO token. e.g. a pure client might wish to use an SSO credential for all outbound calls, but say for example that non-SAML SSO WS-Security credentials were received by an intermediate WS-trust enabled target server - then the SSO credentials might be requested "on behalf" of the initiating client by the target server. Subsequently the resulting SAML SSO token could be used for the outbound call to the next tier. Assuming that a client has done SSO to a Login STS to obtain an unsigned SAML token, this would then be presented to the target server and A target server interceptor could invoke the WS-Trust STS validate binding to verify it, receiving a validated and potentially transformed token based on the RST Metadata supplied e.g. requested token type etc. However for a "signed SAML" scenario the target server may locally be able to do all required validation without needing to consult the STS. Cheers, Donal -----Original Message----- From: Tim Williams [mailto:[EMAIL PROTECTED] Sent: 30 June 2008 21:26 To: users@cxf.apache.org Subject: Binding/Validating a SAMLv2 Token with STS So my STS returns a SAML token that I can get as an w3c element. I'm wondering how I can bind that token to an outgoing message and then validate a SAMLv2 token on an incoming service call. There are samples of, I think, something similiar using a UserNameToken with WSS4J(In|Out)Interceptor but I'm not sure what the ACTION and Map entries would be for a SAML Token and/or if this is the right approach? Any help much appreciated... --tim ---------------------------- IONA Technologies PLC (registered in Ireland) Registered Number: 171387 Registered Address: The IONA Building, Shelbourne Road, Dublin 4, Ireland