When a SAML 2 environment is setup to federate between an Identity Provider (IDP) and Service Provider (SP), the user is always prompted to consent to the federation before it progresses. For example, If a user hits an IDP intersite transfer URL, authenticates and gets redirected to the SP the user is federating with, the following message appears on the browser:

Administrator does not want the user to be prompted to federate but no option seems to exist in the Admin Console can change this behaviour – Admin tried going to the ‘User Interaction Settings’ option under the IDP servers Liberty -> Web service consumer and disabled user interactions but this had no effect.


Making sure that the IDP servers are on Access Manager 3.1 Support Pack 3 or greater, set the federationConsent parameter in the IDP web.xml file to have a value of true. This file is located at /var/opt/novell/tomcat5/webapps/nidp/WEB-INF/ on Linux based IDP servers, and at C:\Program Files\Novell\Tomcat\webapps\nidp\WEB-INF\ on Windows based IDP servers.

The default web.xml file has the ldapLoadThreshold parameter set, so just add the federationConsent parameter below that as shown below.

1 vote, average: 4.00 out of 51 vote, average: 4.00 out of 51 vote, average: 4.00 out of 51 vote, average: 4.00 out of 51 vote, average: 4.00 out of 5 (1 votes, average: 4.00 out of 5)
You need to be a registered member to rate this post.
Categories: Uncategorized

Disclaimer: As with everything else at NetIQ Cool Solutions, this content is definitely not supported by NetIQ, so Customer Support will not be able to help you if it has any adverse effect on your environment.  It just worked for at least one person, and perhaps it will be useful for you too.  Be sure to test in a non-production environment.

Leave a Reply

No Comments
By: ncashell
Jun 13, 2011
12:11 pm