Impersonator logs-in to IDP and attempts to initiate an impersonation with an SP.
The use case is more or less like this:
1. Impersonatee has established a session with external IDP and can access the external SP application
2. A Help Desk user (impersonator) establishes a session with an internal IDP that has a trusted SAML relationship with the external SP application
3. The impersonator attempts to access impersonator realm in the external SP application
4. An impersonation session is established with the SAML attributes passed on to the external SP application
Could this work?
Hernan