Andre Durand announed that Ping has released their STS for early adopters. This is a very encouraging sign. Patrick Harding explained the implementation of the Security Token Server concept to me awhile back and I was very impressed by his thoughts. The ability to mediate token communication and transform security tokens solves an important design problem in Security for SOA. While many people focus on the "front half" of identity negotiations (e.g. Authentication), the back half often defines how the principal is transformed and communicated to the middle tier and back end. Whether your design uses some sorot of delegation, impersonation, or federation alters the fundamental security model of the transaction. Flexibility of the sort provided by a STS (which decouples token inputs and outputs) is a welcome piece of identity middleware yielding the same sort of robust set of design options and flexibility of dealing with constraints that an app server does in software design.
Think of a J2EE (or .Net for that matter) app server as a protocol bridge. I may deal with http inbound (servlets) and map that to RMI-IIOP (EJB) and then query a database (JDBC). Each of these is a fundamental protocol designed for that purpose. In identity, we should have the same options. Enable inbound Kerberos or X.509 to be translated to SAML, for example.