tichung wrote:

> The SSO is for the company internal use. They don't want to spend
> extra cost for the certificate.
> Of course I can export IDP trust root certificate to ask then to
> import to the browser, but they think it will bother the user.

By the looks of it its one of the limitations when using the single
server appliance. I don't think there's a way to change this without
severely hacking it which will void the support on it. My suggestion
would if you want the flexibility to deploy a separate AMC and IDP and
a 'MAG'.