> The "magical" bit would be...
> 5. Shibboleth has authenticated the user; it can proceed to add claims.
Yes, but my point was what claims? Specifically in Shib IdP terms: what is the DataConnector used to source the attributes? One solution would be to plug the Principal into the LDAP that hangs off AD, but you need to find the relevant AD.... Or you could just say "she logged in, I'll generate epSA and send the principal off as ePPN (which is AFAIR against UKFED rules).