Have the following scenario:

NAM 4.0SP1 HF1 as SP - configured user store is eDirectory/IDM

User authenticated via federation, with matching based on an attribute supplied in the assertion.
Password retrieval configured as a post authentication method.

Configured so that the federated user satisifies a specific contract created just for this federation (which has no method assigned). This contract has the "satisfiable by an external provider" ticked off.

This all works, users are federated and when accessing protected resources - stuff like Identity Injection works (uses the username and password as matched/retrieved above)

However if I configure a URL for Password expiration servlet or Login Redirect URL on the satisified contract - neither of these trigger (despite the fact the matched user's password was configured as expired)
Accessing directly (same user, same protected resource, different contract) both Password expiration servlet or Login Redirect URL are triggered if configured.

Is this something that should work? Any ideas on how to make this work?