We are running NAM 5.0 and just configured a SP where we are getting the Federation Consent prompt after login:
In the AuthnRequest, we see:
<samlp:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"/>
and we do have Persistent checked in the Authentication Response tab in the SP. If we do not have Persistent checked, then we don't get the SSO login prompt and we have Persistent checked in many other SPs without being prompted for Federation Consent.
Is there something we can change on our end to resolve this or does the IDP on the vendor end need something changed. They are using Keycloak. In catalina.out, we see:
<amLogEntry> 2023-06-29T17:24:30Z DEBUG NIDS Application:
Method: NIDPPrincipal.getIdentity
Thread: https-jsse-nio-XXXXXXXXXXXXXXXXX-exec-11
Get the identity for: Identity Id: auth.parchment.com/.../parchment, provided: true, federated: true, Principal: cn=C00000039,ou=users,o=wcc </amLogEntry>
...
<amLogEntry> 2023-06-29T17:24:30Z DEBUG NIDS SAML2:
Method: SAML2SSOProfile.A
Thread: https-jsse-nio-XXXXXXXXXXXXXXXXX-exec-11
Create identity in progress: Asking for consent: consentName: auth.parchment.com/.../parchment, go to Main JSP: main </amLogEntry>