Our web app, that users log in using SAML (Pickelink), need to make a SSO call to remote WS on behalf of the logged in user (within the same http session to propagate changes done by users). The remote WS uses the same IDP as our web app (WS-Trust). I'm looking at STSWSClientTestCase sample https://docs.jboss.org/author/display/PLINK/SAML2Handler , and have one question: how can I get/generate SAML2 assertion without knowing credentials of the current user. Is it possible to reuse the same token our web app got during user authentication? If yes how can I get it from the http servlet?