Good morning. I have a client who's moving to a cloud-based document management application. The provider supports AD federation as a means of authentication, but this client is also in the middle of an internal forest to forest AD migration (company name changed and a forest change was required because of it). They currently have SecureID integration and they use it for local and remote authentication. My question - The document management provider uses email address to determine if the request should be sent to ADFS auth servers and that email will not change as part of the migration (that's been done already). In fact, the internal migration incorporates two forests that have the same SID information for the same accounts on each side (SID is copied as part of the migration process). This had me thinking that perhaps I should be thinking about another "source" of the user account, possibly RSA. If I understand it properly, the AD accounts would trust the RSA "cloud" identification of the user objects. I could then simply point the document management provider at just this new source for authentication via SAML (and not have to worry about the internal, forest issue during migration). Anyone run into a similar situation or have any suggestions?