I was checking the PicketLink STS code and I've noticed that there seem to exist to login modules that would accept a SAML credential and validate it against an STS:
- org.picketlink.identity.federation.bindings.jboss.auth.SAML2STSLoginModule, which is the one I'm currently using (from the picketlink-jboss-binding); and
- org.picketlink.identity.federation.core.wstrust.auth.STSValidatingLoginModule, from picketling-fed-core, which grabbed my attention as it seems to support the use of mapping providers.
What's the difference between the two? One thing that I've noticed is that the first, when configured for password stacking, propagates the SAML credential, while the second propagates the password used to authenticate against the STS (which I don't get).
The first one is one by the SAML2 web browser profile while the modules with STS in them deal with the WS-Trust stuff.