Recall that the SAMLTokenValidator has the following method:
void setSamlRealmCodec(SAMLRealmCodec samlRealmCodec)- Set the SAMLRealmCodec instance to use to return a realm from a validated token.
The SAMLRealmCodec has a single method:
String getRealmFromToken(AssertionWrapper assertion)- Get the realm associated with the (SAML Assertion) parameter.
No SAMLRealmCodec implementation is set by default on the SAMLTokenValidator, hence no realm is returned in TokenValidatorResponse. If an implemention is specified, then the SAMLTokenValidator will retrieve a realm from theSAMLRealmCodec implementation corresponding to the validated Assertion. If a cache is configured, and the Assertion was already stored in the cache, then the realm is compared to the realm of the cached token, stored under the tag "org.apache.cxf.sts.token.realm". If they do not match then validation fails.