[keycloak-user] servlet filter and roles

Hi My client applications (some SAML, some OIDC) are all running within Tomcat 7 on OpenShift. Since the Keycloak Tomcat adapter is a Valve, the jar needs adding into the server classpath which of course I can't do on OpenShift. (Or I've struggled to at least!) Hence I'm using the generic servlet filter adapter. Looking here for SAML: http://keycloak.github.io/docs/userguide/saml-client-adapter/html/ch07.html and here for OIDC: http://keycloak.github.io/docs/userguide/keycloak-server/html/ch08.html#d... I can't see how to achieve the security-constraints (roles primarily). Do I need to resort to coding those in the apps, or maybe using JAAS? Thanks, Simon