I'm struggling with a pre auth risk policy, it works fine but does not return attributes if user is authentication locally
The setup is as follows, I check for a x-forward-for header that contains a specific ip address, if so then the users get a medium risk score and and I have picked secure password form + totp (OTP) as step up methods.
If the user comes from a other ip address, he get's a risk score of 0 and a method that basically is a jsp page with different external IDP that the uses can choose from
If the method that points to external idp is uses, it the saml request returns the user attribute retrieved from user store after user lookup
But if the usename/passwor + totp is executed the user gets authenticated but no attributes are retrived, only a assertion is sent to SP.
I can see in the logs that the users gets authenticated, and totp method would not work if the users wasn't identified
Nam version is 5 sp3 and it's a appliance cluster
Any one that have seen this behavior and have any suggestions?