If you want to obtain roles from the assertion, you can grab the assertion from the user's session and iterate over the attribute statements.
The assertion is available as an attribute in HttpSession with name "ASSERTION_SESSION_ATTRIBUTE_NAME" [1].
[1] https://docs.jboss.org/author/display/PLINK/SAML2AuthenticationHandler
|