This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Federation Consent prompt

We are running NAM 5.0 and just configured a SP where we are getting the Federation Consent prompt after login:

In the AuthnRequest, we see:

<samlp:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"/>

and we do have Persistent checked in the Authentication Response tab in the SP. If we do not have Persistent checked, then we don't get the SSO login prompt and we have Persistent checked in many other SPs without being prompted for Federation Consent.

Is there something we can change on our end to resolve this or does the IDP on the vendor end need something changed. They are using Keycloak. In catalina.out, we see:

<amLogEntry> 2023-06-29T17:24:30Z DEBUG NIDS Application:
Method: NIDPPrincipal.getIdentity
Thread: https-jsse-nio-XXXXXXXXXXXXXXXXX-exec-11
Get the identity for: Identity Id: auth.parchment.com/.../parchment, provided: true, federated: true, Principal: cn=C00000039,ou=users,o=wcc </amLogEntry>

...

<amLogEntry> 2023-06-29T17:24:30Z DEBUG NIDS SAML2:
Method: SAML2SSOProfile.A
Thread: https-jsse-nio-XXXXXXXXXXXXXXXXX-exec-11
Create identity in progress: Asking for consent: consentName: auth.parchment.com/.../parchment, go to Main JSP: main </amLogEntry>