Hello Anders,
Regarding option 2 there is actually a simpler way without the need of a second application. Here are the configuration steps:
1. In NWA -> Authentication & SSO -> Login Modules: for SAML2LoginModule define option "mode" with value "test"
2. The users from the thin client has to access the redirect application with an additional URL parameter "saml2authncontexts=passwordprotectedtransport", e.g. https://sapasjava.company.com/redirect/redirect.jsp?saml2authncontexts=passwordprotectedtransport&url=...
Regards,
Dimitar