You are ahead of us But not so much ...
Currently, we don't provide a OOTB functionality to properly integrate PicketLink SAML with the Application Security Stuff: CDI and Identity bean stuff.
However, we already support that. As you can check from this branch . Please let me know if this is what you are looking for.
thanks for your help. In the end, yes I ended up doing what you describe in the quickstart more or less.
I also saw that if one is ok with having an undertow dependency, one can use io.undertow.security.idm.Account which has a getRoles() method.