1. How do we go about placing that assertion into the soap message to continue on to the desired endpoint?
This easiest way might be to have a SOAPHandler on the client side that adds the Assertion element to the security header.
I've used Smooks previously to insert a security element into a SOAP Message but that was mainly because this was used in JBossESB for a quickstart (security_saml) and that made sense at the time for that example.
I spoke with Anil about creating some examples and this might be a good one to add?
1. I was thinking that we create an example that calls PicketLinkSTS via JAAS to issue a token.
2. Then have a call to a web service where the client side is configured with a SOAPHandler that injects the SAML Assertion into the outbound SOAP Security Header.
3. The web service would be configured with a SOAPHandler (for example org.picketlink.identity.federation.core.wstrust.handlers.STSSaml20Handler).
The security_saml JBossESB quickstart does this (except step 2 which is uses Smooks for) but via JBossESB. The last step part of the quickstart is to call an external web service which is configured with the server side SOAPHandler (step 3). The configuration of the web service might be of interest to you.
What do you think?