This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Federation Consent prompt

We are running NAM 5.0 and just configured a SP where we are getting the Federation Consent prompt after login:

In the AuthnRequest, we see:

<samlp:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"/>

and we do have Persistent checked in the Authentication Response tab in the SP. If we do not have Persistent checked, then we don't get the SSO login prompt and we have Persistent checked in many other SPs without being prompted for Federation Consent.

Is there something we can change on our end to resolve this or does the IDP on the vendor end need something changed. They are using Keycloak. In catalina.out, we see:

<amLogEntry> 2023-06-29T17:24:30Z DEBUG NIDS Application:
Method: NIDPPrincipal.getIdentity
Thread: https-jsse-nio-XXXXXXXXXXXXXXXXX-exec-11
Get the identity for: Identity Id: auth.parchment.com/.../parchment, provided: true, federated: true, Principal: cn=C00000039,ou=users,o=wcc </amLogEntry>

...

<amLogEntry> 2023-06-29T17:24:30Z DEBUG NIDS SAML2:
Method: SAML2SSOProfile.A
Thread: https-jsse-nio-XXXXXXXXXXXXXXXXX-exec-11
Create identity in progress: Asking for consent: consentName: auth.parchment.com/.../parchment, go to Main JSP: main </amLogEntry>

Parents Reply
  • 0 in reply to   

    Thanks. We read through that section of the documentation. Are we being prompted for Federation Consent because of a request by the IDP? We're curious as to why we are being prompted when we haven't been prompted by the 30+ SPs we currently have in NAM.

Children
  • 0   in reply to 

    Actually I am surprised you were never asked for consent before.

    As far as I remember all SP federations ask for consent. But frankly last time I sam consent prompt was years ago (I think it was still AM version 3.x) since that setting is kind of standard setting for me and I put it on all my setups at installation time.

    Kind regards,

    Sebastijan

    If you found this post useful, give it a “Like” or click on "Verify Answer" under the "More" button