It's been a while since I have looked at this code, but I think you have:
- 1 LDAP call to authenticate the user..
- 1 LDAP call to retrieve the the user...
- 1 LDAP call to retrieve the user's roles.. (I think, if you have setup that way)
Beyond that I don't recall the rest of the calls off hand... But I agree the PicketLink IDM, framework could use a different perspective, if it is to be able to support a wider authorization and authentication base.