IMO, one important requirement for this auditing architecture is adopt a event driven architecture, where we could raise events for certain operations like when a token is issued, canceled, validated, revoked, some expception or condition occurs, etc.
With an architecture like this we can think in using drools, for example, to apply some additional processing when some condition happens. Suppose we want to know when a certain user logs in based on informations contained in the saml assertion.
Another important thing is that this can help PicketLink to provide some statistcs about the federation like: nr. tokens issued, canceled, loguts, revocations, unsuccesful authentications, statistics about users, etc. Maybe this can be persisted in a database.
I think we can start coding something about this in PL 2.1.0.