Below are a few items that we'd like to see in a future release, or given fair discussion/consideration.
It would be nice if PicketLink allowed me to get the Identity Type instance from the Entity which it mapped to. I have other entities which contain a reference to the IdentityType that owns them. For example, a message entity contains the IdentityType who sent it. I can perform queries which will retrieve a reference to the IdentityType entity based on the message sender, but this entity is useless with PicketLink because it is not an identity type. My only option is to convert the entity (and all sub entities) to the POJO which PicketLink is aware of before I can use it. Which, in essence, will duplicate our entire entity structure.
Permission grouping is create, but it would be nice if individual permissions can be revoked on an individual basic. For instance, if I have a Role with permissions X, Y, Z, I'd like to assign a user to that Role, but then revoke Y. In a real-world case, there are times when a Role or Group could have many permissions, yet one-off cases where a few of those permissions would need to be revoked for a particular user. This should be pretty easy to accomplish - maybe just prefix a permission with "revoke" or something for a given user, and consider that when checking if a user has a given permission. Just a thought.