PicketLink's IDM offers the ability to save identity-related state in a JPA store. To do this, the identity-related classes need to be mapped to JPA entities. However, due to this indirection, other entities cannot properly reference an identity type.

Here's an example of what I mean:

The identity type:

@IdentityStereotype(USER)
public class User extends AbstractIdentityType implements Account {
    @Unique
    @StereotypeProperty(IDENTITY_USER_NAME)
    @AttributeProperty
    private String loginName;

    // any other properties, getters & setters, etc.
}

The entity that is used to save the identity type

@IdentityManaged(User.class)
@Entity
public class User {
    @Identifier
    @Id
    private String id;

    @IdentityClass
    private String identityType;

    @AttributeValue
    private String loginName;

    // createdDate, enabled, etc. and getters & setters
}

A regular JPA entity.

@Entity
public class Order {
    @Id @GeneratedValue
    private Long id;

    @ManyToOne
    private User createdBy; // Not possible; User is not an entity

    // other properties, etc.
}

The problem comes on this line:

private User createdBy;

JPA doesn't know how to map this, because User is not an entity, UserEntity is. Replacing User with UserEntity on that line fixes this, but this can create inconsistencies such as the User class containing a collection of Orders, whereas the Order class containg a reference to UserEntity in the case of a bidirectional relationship. This also introduces boilerplate – when you have an Order object and you want to get the User who placed the order, you need to inject an IdentityManager, create an IdentityQuery and so on and so forth.

Ideally, there should be an annotation that tells the JPA provider to use the appropriate entity and build the User object (or other identity object) from the entity.