If I set up an external attribute source from a database with two new virtual attributes, I assume that will be available for identity injection and for passing in an assertion. But if we configure NAM to provision accounts that are not already there, could NAM also modify the matching existing object in the LDAP store with values from the external attributes? The reason is that the attributes I need will be required by Advanced Authentication (mobile and eMail address which are stored in a database while the rest of the identity is in ADLDS). Advanced Authentication could be the IDP and NAM the SP but then we don't get features like external attributes in their IDP, so that probably won't serve the need.