for the Login Module, is there any specific configuration required to handle comma separated values in a role specification? Using JBoss EAP 6.4 and Picketlink 2.7.1.Final I managed to integrate into the OAM using SAML. However, the Roles in the Assertion are a CSV list instead of a set of XML nodes. Users with just one role, e.g. 'ROLE_A" are able to log in as expected. However, users with more than one role, e.g. ROLE_A,ROLE_B cannot log in.
From the Assertion:
<security-domain name="SP" cache-type="default">
<login-module code="org.picketlink.identity.federation.bindings.jboss.auth.SAML2LoginModule" flag="required"/>