Hello, I know this has already been asked and the documentation of keycloak also has a short entry on this topic: "To propagate the security context to the EJB tier you need to configure it to use the "keycloak" security domain. This can be achieved with the @SecurityDomain annotation:", which is exactly what I did with all my EJBs. I even made my own quickstart/testproject, since I am trying to secure an EAR-Deployment with EJBs on Wildfly 10 and I just cannot get Keycloak SAML to work properly. I also annotated these beans with @PermitAll. I am using the wildfly-saml-adapter to authenticate against an external IdP and I have been debugging the adapter to figure out what is happening. I can see that in org.keycloak.adapters.saml.wildfly.SecurityInfoHelper.propagateSessionInfo(KeycloakAccount) the SubjectInfo is created and the Principal is propagated to org.jboss.security.SecurityContext. I configured my war in my ear to have a jboss-web.xml which points to "keycloak" security-domain, but it does not make any difference. I am trying to invoke EJBContext.getCallerPrincipal() in my stateless EJB which always returns a SimplePrincipal with name anonymous. This is only true for my real application. Everything is working as expected in my test application, since I inject the Beans directly in a Servlet Endpoint. On my real application they are looked up by a jndi lookup on code I have in jar deployments too. Can you please point me to any other ideas on what else I can try to get this working? Thank you in advance, Manuel Waltschek