I've recently done some work migrating my STS implementation from using CXF
2.7.14 up to 3.1.4. In testing the upleveled STS, I noticed that a change crept
in somewhere along the way when requesting a bearer token - in CXF 3, the
returned token has an additional AttributeStatement:
<saml2:AttributeStatement>
<saml2:Attribute Name="token-requestor"
NameFormat="http://cxf.apache.org/sts";>
<saml2:AttributeValue
xsi:type="xsd:string">authenticated</saml2:AttributeValue>
</saml2:Attribute>
</saml2:AttributeStatement>
I don't think this is a problem for me necessarily, but it was unexpected. Is
there a way to suppress the inclusion of this attribute in the token? Or, some
rationale for why I maybe shouldn't?
Thanx,
Stephen W. Chappell
