SSO options - NTLM integrated SAML assertions

That should in fact work. Assuming you can get the external logon page stuff to work (rarely an easy thing), the only thing the APM IdP needs to send a valid assertion is the session variable that you've specified as the "Assertion Subject Value". So you could technically take the returned username and assign that to the required session variable, and assuming the SP accepts both the assertion and the ID value, you should be good to go. It'd then go something like this (IdP-initiated approach):

1. User goes to APM IdP which then redirects to the external logon page
2. User authenticates to external logon page via NTLM and is redirected back to APM IdP /my.policy URI with the username and (dummy) POST values
3. APM IdP assigns the returned username to the assertion subject value session variable
4. APM IdP access policy falls into the resource assignment agent, which specifies an external SP connector, and then redirects the user to the SP with a SAML assertion.
5. Bam, you're in.