Up to this point, all of our back-end applications have a login page
(userid/password) that queries our eDir via LDAP. We use NAM to
front-end the web apps and usually do a FormFill for SSO

However, we are having to setup some new web apps that will service
both our internal users, and users maintained by a third party directory
that we have no control over.

We have setup (and it works) NAM as an SP to the external IdP via SAML.
(user logs in to the "other" external site, and gets allowed access to
our stuff via NAM and SAML)

The question:

Since we do not have the passwords (nor can we get them) from this
external directory, what are our options to configuring OUR web
applications to authenticate the users (both our users and the external

We thought that there would be some mechanism to have the web
application query/read/accept something that NAM can provide to tell it
that the user has already been authenticated.

I think we could somehow code the web app to use SAML to query our NAM
IDP (?)
Use the J2EE agent (but I'm not particularly keen on agent-based

Is there some other mechanism? Like have NAM send something to the
web app (kinda like how the IDM UserApp works where you send an identity
injection with the userid, but then a SAML assertion and the IDM UserApp
"reads/accepts" that?)

I'm not a programmer, but looking for options (rather "high-level"
description) and then maybe a pointer to some doc site or web code that
I can point the developers to.

Thank you

The opinions expressed are my own.
Check out my OES2 Guides:
Installing OES2 SP2:
Upgrading to OES2 with ID Transfer:
GroupWise Migration with OES2 ID Transfer:
kjhurni's Profile: http://forums.novell.com/member.php?userid=734
View this thread: http://forums.novell.com/showthread.php?t=445928