I've looked into this and as far as I can tell what is happening is that PicketLink DefaultIdentity (we are using version 1.0-20120910) does perform a check to see if the user is currently logged in:

if (isLoggedIn())
{
    if (isAuthenticationRequestWithDifferentUserId())
    {
        throw new UnexpectedCredentialException("active user: " + this.user.getId() +
                            " provided credentials: " + this.loginCredential.getUserId());
    }

    beanManager.fireEvent(new AlreadyLoggedInEvent());
    return AuthenticationResult.SUCCESS;
}

For some reason that I've yet to find, isAuthenticationRequestWithDifferentUserId is not returning true which I expected. Since the return of this call is successful the login from our AuthenticationEndpoint will also succeed.

A workaround for the short term could be to add a method to the AuthenticationManager in the TODO app, that can answer if the there is a user already logged in:

public boolean isLoggedIn() {
    return this.identity.isLoggedIn();
}

This method could then be called from AuthenticationEndpoint login:

if (authenticationManager.isLoggedIn()) {
    authenticationManager.logout();
}

This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira