A CXF interceptor is required to communicate with the STS and to obtain a security token. For the WS-* case, the IssuedTokenInterceptorProvider is automatically triggered in the CXF WS-Security runtime by an IssuedToken policy associated with the service provider. All that is required in this case is that the STSClient bean is Spring configured.
For the REST case, there is no such interceptor in CXF. A new interceptor STSRESTOutInterceptor is provided in the ESB to communicate with the STS and store the received token on the security context. It must be configured with an STSClient object as per the WS-* case. The resulting token is stored on the security context using the SAMLConstants.SAML_TOKEN_ELEMENT tag. This is picked up automatically by either the SamlFormOutInterceptor or the SamlHeaderOutInterceptor in the JAX-RS security runtime, depending on which has been configured. The SAML Token will then get written out as part of a Form or in the Authorization Header to the JAX-RS service.
See the 'syncope-esb-xacml-rest' example to see how to use the STSRESTOutInterceptor to obtain a SAML Token from the STS from a JAX-RS client, and how to use it in conjunction with the JAX-RS security runtime to send the issued token to the JAX-RS endpoint.