Yes, I think that was a design decision from Anil. Specially if you consider how old this code is.

We're targeting a refactoring to the SAML code for PL 3. So we can provide a Principal that provides access not only for roles, but the assertion and other information from the assertion.

We're already doing something similar in the integration between PL SAML and PL Base/CDI. Where you can define a Token.Consumer that knows how to extract information from the assertion. In this case, you can use PL IDM and the Identity bean to check for roles or any other attribute from the assertion.

Going to close this issue.