I am working with a client trying to get NAM to provision attributes to
the local user store when the user is created via federation (SAML 2.0)
from a third-party IDP (also NAM, though probably 4.2). The IDP sends a
multi-valued attribute which we see nicely with the SAML Tracer plugin to
Firefox, but the multiple values are not all written to the local user
store (though one value is). Does anybody have a way this has been done,
perhaps with a custom authentication class or similar?

Similarly, we would like for attributes to be updated in our system as
they are changed in the remote systems. The remote system sends the value
all of the time as I recall, but our system does not "provision" the users
that exist, so no updates happen to any attribute, whether single-valued
or multi-valued. Has anybody worked around this in the past without doing
something like using IDM, or external scripts, to synchronize the data?

Thanks in advance,