With Elytron security, deployments are limited to using one security domain per deployment. There should be documentation showing how to aggregate multiple identity store into common authentication policy in one Elytron security domain.
As previously this was not the case, the following scenarios should be documented as the bare minimum:

• Aggregate previously used PicketBox security realms backed by different security providers into single common authentication policy represented by Elytron security domain. The most common scenarios include (but are not limited to):
  • LDAP with failover to DB/properties file,
  • two LDAP servers,
  • Kerberos with fallback to different authentication method if the authentication fails.
• Migrating deployments using servlets and beans with different security domains.
• Migrating deployments using multiple beans with different security domains.
• Describe principal and role propagation (for example in EJBs) between security domains and deployments and the behaviour differences from legacy security.