Dan, the question was whether the SAML assertion can be used as the authentication construct rather than username/pwd or a X509 certificate (as supported by the WS-Security implementation in JBossWS). This was what Stefan and I were referring to. At this time, I think you should forget about the authentication aspect and just focus on passing the saml assertion to the wst client and let the STS handle the token. Maybe you can have a single username/pwd for the ESB layer with the STS to pass in the WS-S headers. Or better some type of X509 certificate that is mutually agreed on. There are two different things: 1) There needs to be a security context for the client and the STS to interact. This is what is passed in the ws-s headers. Can be username/pwd or x509 cert. 2) And then there is the payload (in this case, the SAML assertion) that the STS will use to validate. View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=4256412#... Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&a...