All the end users are web only.  The Admins and Developers have separate Notes IDs just for Admin/Dev stuff, but they also need to log in with these over http to resolve user issues.  Active Directory is managed by a different section and a large Helpdesk team have access to change user passwords etc.  Since the Admin/Dev accounts have Manager access to everything, for security we would like to separate them out.

I had already floated the idea of a separated Admin server, but management in the development team said no!  Apparently they *need* to access each server.  Don't ask me to explain developers.

I was sort of expecting there to be a 'local login' URL to optionally bypass ADFS but apparently not.  My other thought was whether the LTPA Token document could be copied to another server so you could have a login server then switch.