Description of problem: The PicketLink STS does not include code to decrypt the encrypted tokens. org/picketlink/identity/federation/core/wstrust/PicketLinkSTS.handleTokenRequest() calls org/picketlink/identity/federation/core/wstrust/StandardRequestHandler.postProcess() to encrypt the token. There is no code to decrypt the token on the validate call.