The "magical" bit would be...
1. Shibboleth receives referral from service provider.
2. Shibboleth sends the request up to AD FS.
3. User authenticates to AD FS; invisibly on domain-joined devices
4. AD FS returns the browser to Shibboleth.
5. Shibboleth has authenticated the user; it can proceed to add claims.
6. Shibboleth redirects the browser back to the service provider
7. [user is authenticated]
Some great replies here. Lots to consider!
Thanks again for replying.