My intention is to implement with PicketLink something similar to what Atlassian has done in Crowd.
In more detail, I want single PicketLink instance to provide authentication, authorization, SSO and IdM services to multiple Java EE applications. The point here is to have a single place for JPA/LDAP configuration, custom IdM model and custom authenticators (all the above will be shared between client applications).
As far as I've learned from the documentation, PicketLink doesn't offer this out of the box. I would imagine client applications using PicketLink APIs, but the actual calls being proxied to master PicketLink instance via RMI/Hessian/REST etc. I would appreciate any expert opinion on whether this architecture will be viable, as well as any other criticisms and suggestions.
You are looking for SAML
PicketLink supports SAML
You can create a PicktLink instance (basically a JavaEE app) that acts as an identity provider. This instance will the " ... single place for JPA/LDAP configuration, custom IdM model and custom authenticators ". The other JavaEE applications will act as Service Providers. These apps can consume the SAML-based identity service provided by the identity provider:
Some remarks: