The code for the STS at https://yorkporc.wordpress.com/2013/08/13/making-an-sts-that-responds-to-asymmetric-keying-signed-requests/ exposes metadata for the endpoint to which asymmetric keying RSTRs are sent as
Note that svcutil cannot generate a configuration for a custombinding matching this policy assertion (it requires code), even though the policy has been read:
We do see in the policy use of https://yorkporc.wordpress.com/2013/08/08/2-1-mssprsatoken/
However, we note that ACS does not fully expose what it requires, when it too responds to such keying requests. It pretends, for configuration reasons, to not require the endorsing supporting RSA token. Of course, it does in practice.