A process in which a NAM protected resource is accessed via SAML SSO to
an ADFS Identity provider is providing unexpectedly mixed results.

A SAML response is generated at the IDP, with success and the correct
attribute values. Comparing the SAML Response coming from ADFS between
a working user and one that fails, the only differences appear to be the
email address and timestamps, session ID's,... etc. Things you would
expect to be different.

However, in the Fiddler trace I do see a difference in behavior:

WORKING TRACE
SAML Assertion delivered to the Assertion Consumer, followed by --
302 nidp/idff/sso?sid=0

FAILING TRACE
SAML Assertion delivered to the Assertion Consumer, followed by --
200 nidp/jsp/content.jsp?sid=0&sid=0

Is this failing trace just saying that SSO was not achieved, and hence
I'm being rerouted to an authentication card? (That is the result, BTW.)
I've LDIF compared the users and see no reason for the SSO to fail.

Any suggestions on where is the next best place to look, given the
above. Or do I need to crank up the IDP log level on a failing attempt?