// requestAuthentication is only called after a failedauthentication
// so it makes sense to remove any existing login
final RelyingParty relyingParty = getRelyingParty(request);
relyingParty.invalidate(request, response);
HashMap<String, String> params = new HashMap<String, String>();
params.put(Authenticator.LOGIN_RESOURCE,
getLoginResource(request, null));