Anyone done a Cool Solution, or similar, that explains the integration of NAM and AAF?

I've found several, a couple of which are Neil's, but none clearly explains how it all interlinks and the documentation is too disjointed to get a clear view of the integration.

SAML, OAuth, Basic, End Points, Events, a bit of an idea about each, but not enough to work out how they play with each other. At the moment the Shared AAF is set to use a OAuth Event (I can't find doco on what the redirect URI should be - at the moment its https://[idp url]/nidp/oauth/nam/token ).

SAML and Basic appear to be only related to accelerating AAF through NAM and providing SSO between AAF and other NAM protected resources.

The AAF has 1 tenant (TOP) and 3 stores (builtin + 2 x edir)....the UI login correctly leaps as required with just username entry for both /admin and /account.

I just want to start off with the very basics:

Have NAM use the RiskEngine to decide on Step Up authentication (i.e. Smartphone/TOTP/etc) based on Location (Neustar & DB currently working and its correctly deciding that AAF is required - tried "Dynamic" at which point its an infinite loop of "Username" entry with no details and logs show nothing useful)...which is chained after the user has done username/password NAM contract.