I followed up the picketlink quickstart for setting up a federation environment with a saml idp and associated sp. In my sp I deploy an ear app bundling both war and ejb archive. Everything is working perfectly (SAML tokens exchanged, redirection etc..) except that the java.security.Principal I'm injecting with CDI is not updated (keep at 'anonymous'). I also tried to inject SessionContext in my EJB and call method getCallerPrincipal with the same result. Note that at the Jax-rs web layer level, the user is ok (I'm injecting the jaxrs SecurityContext and I can see that the user here is the one I logged in with).