Yes, importing the trusted certs in the various STS instances should work. Another alternative is to use a distributed TokenStore implementation (such as the Hazelcast one in sts-core), which means that the STS instances all share the same cache + should then automatically trust a token issued by another STS that shares the same cache.
Colm. On Wed, May 28, 2014 at 12:21 PM, <stephen.ctr.chapp...@faa.gov> wrote: > In order to support high availability and domain segregation requirements, > our STS deployment will likely consist of multiple STS being deployed > between two or more domains, each with their own certificate. In theory, > all of the STS should trust each other, i.e., each STS should accept tokens > issued by any of the other STS when passed in through the RST/ActAs element > or when passed into the Validate interface. Can the CXF STS be configured > with this sort of trust relationship, maybe through importing all the > trusted certs into the STS keystore or trust store? > > Thanx, > > Stephen W. Chappell > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com