I have the picketlink-sts example (jboss-as7 examples) ws deployed to JBoss AS7 as my STS  and a sample POJO web service service provider configured with handlers and the its security domain configured with SAML2STSLoginModule as below.

I have a picketlink-sts ws client that obtains a saml assertion and can get the saml assertion created above to be validated and subsequently invoking my sample POJO web service using the configuration that contacts the picketlink STS to validate the token however I cannot get the local validation to work.

{code:title=standalone.xml}
                <security-domain name="sts">
                    <authentication>
                        <login-module code="org.picketlink.identity.federation.bindings.jboss.auth.SAML2STSLoginModule" flag="required">
                            <module-option name="configFile" value="sts-config.properties"/>
                            <module-option name="password-stacking" value="useFirstPass"/>
                            <module-option name="localValidation" value="true"/>
                            <module-option name="localValidationSecurityDomain" value="sts"/>
                        </login-module>
                        <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag="required">
                            <module-option name="usersProperties" value="sts-users.properties"/>
                            <module-option name="rolesProperties" value="sts-roles.properties"/>
                            <module-option name="password-stacking" value="useFirstPass"/>
                        </login-module>
                    </authentication>
                    <jsse keystore-password="testpass" keystore-url="C:\picketlink\stores\sts_keystore.jks" truststore-password="testpass" truststore-url="C:\jboss\jboss-as-7.1.1.Final-new\standalone\configuration\sts_keystore.jks" server-alias="sts" client-alias="sts"/>
                </security-domain>
 
{code}                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               {code}
 
 
 
 
 

I am running into a problem with the keystore provided in the picketlink-sts that I  have configured in the jsse for the sts-client security domain.

{noformat}

Caused by: java.security.UnrecoverableKeyException: Cannot recover key      at sun.security.provider.KeyProtector.recover(Unknown Source) [rt.jar:1.7.0]

{noformat}

Am i missing anything. Any tutorial on how to get local validation of SAML assertion working without having to dispatch to the picketlink-sts ?