Get the RH-SSO quickstarts. Instead of adding the 'user' role to the admin directly add it to the 'admin' role. Then try the 'app-profile-saml-jee-jsp' quickstart. After login with the admin user it will display 'Forbidden' instead of showing the profile. Now remove the 'user' role from the 'admin' role and add it directly to the admin user and try again. This time it works fine.
Get the RH-SSO quickstarts. Instead of adding the 'user' role to the admin directly add it to the 'admin' role. Then try the 'app-profile-saml-jee-jsp' quickstart. After login with the admin user it will display 'Forbidden' instead of showing the profile. Now remove the 'user' role from the 'admin' role and add it directly to the admin user and try again. This time it works fine.
Description
Composite roles are not expanded in the SAML assertion.