Next quarter we will start working on Federating user account. The idea is allowing user from other branches of the department to use our application using their own account (already exists in their
own ID store). We will create one account (in our AD server) for each of the out side account and use common property like Email address to federate the two accounts with SAML2.
In our environment, all protected applications (using NAM) has their own authentication process, right now we configured NAM to do form fill or ID injection to the applications so that they can be
authenticated in the same AD (the same AD is also configured as NAM user store). However, when a federated account try to log in, how can we get the password from our own AD? I searched and didn't find a way of doing it. My question is if there is a way to get local AD password using NAM so that it can pass it to protected application? I heard that is users are stored in eDirectory, local password can be retrieved, but we don't have plans to so that since the impact will be too big. This has to be a common issue with federated account, how does others work on this?

Thanks
Mark