Hi all,

I have a setup where I use a externa IDP to identify users.
The setup is like this
AM is acting as a Saml idp to a webservice, with a step-up contract pointing to a contract that is verified externally
AM is a SP that has a external IDP verfing users.
We have setup attribute matching and so fort, all this is working.
But now my customer wants to have internal users to be able to login to the same application using Kerberos and external users to use the step-up contract.
Does anybody have a idea how to do this and still have it seamless to end users, that is internal users does get logged in by kerberos contract and external users get logged in by external contract.
I have tried risk based policys (matching ip address) but it I cant really seems to get it seamless, external users are promted to the Kerberos fallback auth before beeing redirected to external IDP login.