Setting ws-security.cache.issued.token.in.endpoint" to "false" is the recommended setting for a delegation scenario, where a webapp acts as an intermediary that requests tokens for a webserivce on behalf of a WS-Federation SAML token.
When this setting is effective however, we observe that tokens that have been issued for use by the intermediary are not renewed on expiry.
The following code in IssuedTokenInterceptorProvider may be the starting point of this misbehaviour:
With the above property set to false the issued token is cached in a different way than expected by retrieveCachedToken, leading to the bypass of the token renewal.
Instead the token is cached indirectly via the actAs or onBehalfOf token where it is retrieved from by the #handleDelegation method of the same Interceptor.