Hello everyone,

as $subject probably indicates, we have a NAM 4.x setup, federated with
an external SAML2 IDP and an internal SAML2 SP.
Everything is working insofar that we can perform an authentication
request from the SP and at the NAM login page, select the external IDP,
log in there, and voila, logged in.

However, this specific Service Provider requires authentication to be
performed by the external IDP *only*.
The customer wants those authentication requests to be automatically
redirected to the external IDP, so users cannot inadvertently choose
the wrong authentication method.

How do we instruct NAM to do this? What I have done so far:
* Created a specific "External SAML" contract with "satisfiable by
external provider" checked
* Added the contract to the external IDP configuration ("Satisifies contract")
* Added the contract as a step-up contract to the SP configuration

Surely, on every authentication request the "External SAML" contract is
now selected, but it does not automatically redirect me:
* when I select an authentication method in the contract, it displays
that method's login page
* when I remove all authentication methods from the contract, I get a
500 error from NAM

I am starting to wonder if this is even possible, has anyone
accomplished automatic selection of a federated IDP?