I've only setup this once, but apparently didn't take good notes.

NAM is an SP and we're trusting a third-party IDP (Ping Federate).

I have the metadata imported and that part seems to work okay.

I created a new Auth Contract with the basics.
I left the default:
Satisfiable by a contract of equal or higher level

Satisfiable by external provider

I left the:
Requested By: as Do not specify
Left the methods blank.

I gave it an auth card (just made up some stuff)
Passive Auth Only is UNCHECKED.

I go into my IDP -> SAML2 -> Trusted Provider

Authentication Card tab

I Show the card (it's checked)
I have Auth Contracts -> Satisifies contract -> the new contract I made
(let's call it: NewContract)

If I CHECK the Passive Auth Only, then when I go to the NAM IDP, and
click on the auth card, it just flashes the page at me.

If I UNCHECK the Passive Auth Only, then I can click on the card, it
redirects me to the third-party IDP, I login there, click Login, and
then itakes me back to the NAM IDP, but then it wants me to provider a
username, etc. for Federation.

I have Federation set to auto, and not prompt. So I'm unsure why NOT
having passive auth only doesn't seem to work and why enabling it allows
the user to enter things I told it not to do.


kjhurni's Profile: https://forums.netiq.com/member.php?userid=322
View this thread: https://forums.netiq.com/showthread.php?t=47620