I've recently done some work migrating my STS implementation from using CXF 2.7.14 up to 3.1.4. In testing the upleveled STS, I noticed that a change crept in somewhere along the way when requesting a bearer token - in CXF 3, the returned token has an additional AttributeStatement:
<saml2:AttributeStatement> <saml2:Attribute Name="token-requestor" NameFormat="http://cxf.apache.org/sts"> <saml2:AttributeValue xsi:type="xsd:string">authenticated</saml2:AttributeValue> </saml2:Attribute> </saml2:AttributeStatement> I don't think this is a problem for me necessarily, but it was unexpected. Is there a way to suppress the inclusion of this attribute in the token? Or, some rationale for why I maybe shouldn't? Thanx, Stephen W. Chappell