When an authorized request comes through for the hosted page resources, eg images, css files, the next valve in the chain is not called. A check should be implemented and if the user is authorized and the request is not a SAML request, then call the next valve in the chain. The hosted page itself is not affected, since it is explicitly served/handled by picketlink IDP valve.