I've found two issues after looking into this in more detail. The first is that the "cxf-ut-encrypted" STS configuration shipped with Fediz does not in fact encrypt the issued token due to a missing configuration line. I've merged a fix for this here:
http://svn.apache.org/viewvc?view=revision&revision=1363393 Secondly, the Symmetric holder-of-key use-case, where the symmetric key is encrypted with the certificate of the service provider, does not use the EncryptionProperties.getKeyWrapAlgorithm as you might expect, but always uses the default RSA 1.5 algorithm. I've fixed this as well: https://issues.apache.org/jira/browse/CXF-4436 http://svn.apache.org/viewvc?view=revision&revision=1363394 I can't reproduce the decryption error you're seeing though. Could you upgrade your JDK to the latest 1.6.x and apply the unlimited security policies, and try again using the latest CXF SNAPSHOT code? Colm.
