Configuring a Security Token Service (STS) for Holder-of-Key Processing
When determining which STS to use, consider the following:

The STS must be able to provide a SAML 1.1 or 2.0 Holder-of-Key token to the client.

The client must authenticate itself by sending an X.509, Username, or HTTP token to the STS.

STS issues a SAML assertion with the client's public key as the key information material in the token.

The client uses its private key to sign the assertion before sending the request to
Mediator.

There are two freely available STS implementations:

Axis2

JBoss PicketLink