I have a customer that want there users to be able to use smart card or password/sms otp when authenticating to a SP initiated Saml federation and not beeing on the lan so that Kerberos is active
As I see it you have to edit the Access Manager Metadata for that SP to point to a loginpage where you can choose from different contracts, is that right?
If it's easy to solve and keep it SP initiated I figure that thats the way to go, since sso probably will work better in that case

I figure a other way to do it would to be a IDP initiated login page with 2 diffrent login cards. I'm not a skilled java script person, but I can copy and past and fiddle a bit
Has somebody done something similar and can show me a code example?

thanks in advance