My attempted scenario seems to be supported: An ADFS Authenticated
browser makes a request to access a NAM protected resource. Through the
miracle of SAML federation, NAM leverages the ADFS authentication and
the user gets access to the NAM protected resource without having to
enter credentials at NAM. Basic SSO.

First question: Any gaps in my thinking on this scenario? should be
doable, with ADFS as the IDP, and the NAM PR as the Service Provider
(relying party)


The documentation here "more or less" describes the scenario we're
trying to implement:

But there are key assumptions about steps 1 and 2 that are unspoken and
confusing. The diagram appears to skip some KEY steps. Does it?

So I'm asking... anyone out there know how this flow ACTUALLY works at a
detailed level? A link to a 100% detailed flow, that does not skip steps
would be good.
Here are my assumptions/details that I think are missing from the
BASE Assumption: The user browser is authenticated to SOME identity
provider. In my scenario, the browsing user has already authenticated
to ADFS, and should have SOME kind of session cookie, or other "token"
indicating it is authenticated.

Step 1 in the Docs: User clicks on a link at
==In my case, the user is on a Microsoft Dynamics CRM application, and
they click a SUBMIT and post data to a protected resource in NAM.

HERE is where the docs go wonky:
The service provider sees a request for access to a protected resource
and creates a SAML assertion for the IDP, and redirects it to the
browser, and the docs say the assertion contains information about the
user making the post. HOW??

=======DOC EXCERPT=======
The URL sent to the Identity Server would look similar to the following:
The Identity Server at receives the assertion.

The assertion is sent to the Identity Server packaged in a SOAP
envelope. In this example, the assertion contains the attributes
lastname=Jones, and phonenumber=555-1212.
===========END DOC EXCERPT========

Whoa, whoa, whoa... The Assertion Contains the Attributes...Where in the
preceding steps could the SP (NAM in this case) have gathered such
information to include in the assertion?

Seriously... the SP received a POSTed request to access a NAM protected
resource, and the POSTed request contains no information on who is
making the post... unless NAM can make use of the ADFS Session Cookie to
somehow leverage the authentication/authorization to this protected

How does NAM get this information that it is supposedly inserting in the

Again... a link to the full flow of re-directs and contents of various
assertions would help, even if it's SAML docs, not NAM/Novell/NETIQ
docs. Any gaps in my process thinking?