A full implementation of the STS was recently added to the Apache CXF codebase and this implementation has a highly modular and customisable architecture, as you can see from the following architecture overview:
For example, the token Issue operation can be customised by plugging in a SAMLTokenProvider or an SCTProvider (secure conversation token provider); and the token Validate operation can be customised by plugging in one of the token validators, SAMLTokenValidator, UsernameTokenValidator, X509TokenValidator, or SCTTokenValidator.
The STS implementation has a number of special features, including:
- Support for embedding Claims data in issued tokens.
- Support for the AppliesTo policy (which enables you to centralise token issuing requirements).
- Support for security realms.
These are all described in the new doc, in The Security Token Services chapter.