Major Description
STS issues SAML Token using WSS4J to parse SAMLCallback object into SAML Assertion.
Actually STS issue operation doesn't provide callback to customize SAML Assertion directly.
Due some restrictions in WSS4J SAML representation (for example ConditionsBean doesn't support extensions, etc), it makes sense that user has possibility to modify/customize created SAMLToken before signing.
It can be done in method SAMLTokenProvider.createSamlToken(), callback's argument is AssertionWrapper.
Corresponded mail list discussion: http://cxf.547215.n5.nabble.com/Customizing-Conditions-in-CXF-STS-td5719270.html.