We have applications that both internal as well as federated users use.
We have two portal or landing URLs that display a list of applications a
user can use. The 2 portal URL points to the same backend page, one URL
is configured to be protected by a form login (id/password)
authentication contract (contract 1, level 1, satisfied by higher level
contract), the other portal URL is protected by a federated
authentication contract (contract 2, satisfied by external IDP, level
2). All applications are also protected by contract 1.
When internal user come to portal 1, they see the login form and login
using id and password, after that they click one or more applications
and get access.
External users come to the federated URL and get authenticated with
their own IDP (contract 2) and also see the list of applications. Since
they are protected by contract 1 and contract 1 is also satisfied by
contract 2, they get access to these apps without issue.
Problem is at timeout. If user has being idle for a while and NAM
timeout, now user click a button on application page, since apps are
protected by contract 1, NAM will prompt user to login using id/password
(form), its fine for internal user but does not work for external user.

I could configure separate URLs for applications and protect them using
contract 2, but there are share point applications that doesnt like
extra path (path based multi home proxy with artificial path, we tried
to do that with share point apps, the rewrite always mess up the links
and resources) .
Any suggestion how to make this work is appreciated.

mxu1386's Profile: https://forums.netiq.com/member.php?userid=1361
View this thread: https://forums.netiq.com/showthread.php?t=52668