In order to handle the SAML assertions returned by the Identity Provider, the Service Provider needs to be configured with the properly security domain configuration. This is done by defining a <security-domain> element in jboss-web.xml.
<?xml version="1.0" encoding="UTF-8"?>
<jboss-web>
<security-domain>sp</security-domain>
<valve>
<class-name>org.picketlink.identity.federation.bindings.tomcat.sp.ServiceProviderAuthenticator</class-name>
</valve>
</jboss-web>
In order to use the security domain above, you need to configure it in your server. For JBoss AS7 you just need to add the following configuration to standalone.xml:
<subsystem xmlns="urn:jboss:domain:security:1.1">
<security-domains>
<security-domain name="sp" cache-type="default">
<authentication>
<login-module code="org.picketlink.identity.federation.bindings.jboss.auth.SAML2LoginModule" flag="required"/>
</authentication>
</security-domain>
...
</subsystem>