PicketBox/Picketlink does not support the XACML ABAC profile which was ok since an external PDP (and SDK) was going to be used. But when the possibility to extract all the informtion from the SAML assertion was not possible (at least to my limited knowledge), that also creates an issue with the external XACML request.
I have managed to extract my custom attributes (set by the external IdP), or roles as they are called, from the JBoss SecurityContext object. Although I can not get hold of the "type id" of the attribute. With only the name/value of the attribute that will create a XACML request that is not good enough (type id will have to be "invented" and set), since the type of attribute or role can not be determined.
An example, the role admin could also be the attribute admin (administration of a subsystem or something completely unrelated), a policy descion with that ambiguity is not be desired. The same goes regarding to what authentication mechanism the user has used (i.e smart card, uid/pwd, domain account, etc.). That information is not available either.
Requested feature, bug, lack of my knowledge or any other way to get solve the uncertainty regarding the roles/attributes??