Hi everyone,

consider the following issue:
* NAM IDP1-IDP2 federation with SAML2, where IDP1 is the SP
* IDP2 identifies internal users via Kerberos SSO and sends the username
to IDP1
* IDP1 must transparently match the user in its userstore and retrieve

We do not want persistent federation with a consent question, so I have
configured transient identifiers with attribute matching. This does not
seem to work well alas.

How would you configure the IDPs in the above scenario?