Have you managed to get path-based working with NAAF?
There appears to be some AJAX call or something within the product that stops it completely working (get red "Forbidden" div and no user details).
Enable AAF to be able to authenticate users using the basic authentication protocol exchange.
This is documented at https://www.netiq.com/documentation/advanced-authentication-54/server-administrator-guide/data/configuring_netiq_advanced_authentication_server_appliance.html#configuring_event where it states that:
To achieve basic authentication, in the Event Edit screen for Authenticators Management, set the Allow basic authentication option to ON.
NOTE: The basic authentication is supported only for the Authentication Management event and for the Password (PIN), LDAP Password, and HOTP methods.
You must enter /basic with the URL to login to the enrollment page. The Login page appears and the format of the Username you must provide is: username:PASSWORD|LDAP_PASSWORD|HOTP:1. For example: admin:PASSWORD:1.
Going into the Event menu in the AAF Admin Console, and highlighting the Authenticators Management event, we add the chain created in the previous step and enable the basic authentication feature. With this enabled, we can configure NAM to inject the required credentials in requests destined for the AAF server for the purpose of single signing the users on.
Setup NAM to inject the non standard Authorization Basic HTTP header.