IDM operations are invoked from a WS facade in our environment, and not from the GUI. Therefore, we have overridden PicketLinkIDMOrganizationServiceImpl.recoverFromIDMError to just let any errors bubble up and let the upper layer handle it, instead of rolling back + restarting the transaction.
But here's the place the exception handling is not working as expected. The issue is in PicketLinkIDMOrganizationServiceImpl.flush():
Let's assume there is an exception at session.save() in line 166. This exception is then handled by the recoverFromIDMError method in line 170. In our environment, this method is overridden and throws an Exception.
But the initial goal of overriding this method, which was to have this exception propagated to the caller, is not reached here, as there is an outer try..catch block in the PicketLinkIDMOrganizationServiceImpl.flush() method which just logs the error.
The outer try..catch block should be removed in flush() and endRequest().