ActAs Delegate not propagating original client user
I'm trying to get the ActAs delegate working. What's happening is that the user at the last WS endpoint is coming out as the user by which we obtained the delegate token, rather than the user the client originally specified. Let me explain.
Client --> WS --> WS1
Like the delegate example, assume the client user is 'alice' and that WS is configured to login as 'bob' to the STS. What I expect is that WS will ask for a new token as 'bob' to represent the original user 'alice'. And that when it gets to WS1, the principal subject will be 'alice'.
However, the Principal subject at WS1 is coming out as 'bob'. Any ideas why that might be?
In the STSAttributeProvider when getting the 2nd token for WS1, I never hit this case because the Claims parameter has zero claims:.
if ("true".equals(claims.getOtherAttributes().get(new QName("ActAs")))) //<<< always returns false