Here's an unhappy mix:

1) A legacy application that handles it's own user authentication code-side

2) A service that uses the legacy application and that when required provides SAML managed by the container

3) A desire to port this to JBOSS, use a domain model, and avoid if possible re-rolling domain profiles to toggle SAML on or off

I was thinking I might do this by setting the module option flag for the picketlink section to a variable that could be toggled between "required" and "optional" via a properties file attached to each profile ( so I could just change that rather than change the whole profile if I needed to toggle SAML on or off for some specific case ), but in the schema docs I read this:

"If no required or requisite LoginModules are configured for an application, then at least one sufficient or optional LoginModule must succeed."

This leaves me confused about how things will behave if I have a login module for picketlink with option module flag set to "optional" and a SAML fail case ( because the client does not present a SAML artifact ). Will JBOSS send back an HTTP 401, or will the client browse through to the login page for application-managed auth?