Hi Vjacheslav, Thanks for your interest and question.
Basically STS Service is not required, it is just an option. Of course you can issue SAML Token directly by the client. However, there are some cases where STS can be useful (I have also written them in the post): 1) Federation scenario with multiple clients from different domains sending requests to the same target service In this case if every client issues SAML itself, the target service have to trust all clients certificates. This is complex administration task (certificates are expired, etc) and even not allowed in some cases because of security restrictions. This problem is solved by using STS Service, because in this case target service have to trust only STS certificate. STS cares about client authentication, PoP, etc. 2) If you use different types of tokens and authentication methods the client should be aware and care about all of them. STS helps to resolve that, because client just delegates PoP and Token issuing tasks to STS service. Client dependencies, configuration and code stay lean. Regards, Andrei. > -----Original Message----- > From: Vjacheslav V. Borisov [mailto:slav...@gmail.com] > Sent: Donnerstag, 31. März 2016 10:39 > To: users@cxf.apache.org > Subject: Re: Post: CXF JAX-RS SAML based authentication > > Hi! > > Interesting article, but if we are using client private and public keys in SSL > connection, why additional STS service is required? > > > 2016-03-30 23:21 GMT+04:00 Andrei Shakirin <ashaki...@talend.com>: > > > Hi, > > > > I have published a small post with example illustrating JAX-RS SAML > > based authentication using new STSTokenOutInterceptor: > > > > http://ashakirin-cxf-security.blogspot.de/2016/03/cxf-jax-rs-security- > > authentication-with.html > > > > Perhaps can help somebody interesting JAX-RS security in CXF. > > > > Regards, > > Andrei. > >