Problem:
When a SAML 2 environment is setup to federate between an Identity Provider (IDP) and Service Provider (SP), the user is always prompted to consent to the federation before it progresses. For example, If a user hits an IDP intersite transfer URL, authenticates and gets redirected to the SP the user is federating with, the following message appears on the browser:
Administrator does not want the user to be prompted to federate but no option seems to exist in the Admin Console can change this behaviour - Admin tried going to the 'User Interaction Settings' option under the IDP servers Liberty -> Web service consumer and disabled user interactions but this had no effect.
Solution:
Making sure that the IDP servers are on Access Manager 3.1 Support Pack 3 or greater, set the federationConsent parameter in the IDP web.xml file to have a value of true. This file is located at /var/opt/novell/tomcat5/webapps/nidp/WEB-INF/ on Linux based IDP servers, and at C:\Program Files\Novell\Tomcat\webapps\nidp\WEB-INF\ on Windows based IDP servers.
The default web.xml file has the ldapLoadThreshold parameter set, so just add the federationConsent parameter below that as shown below.
<context-param>
<param-name>ldapLoadThreshold</param-name>
<param-value>10</param-value>
</context-param>
<context-param>
<param-name>federationConsent</param-name>
<param-value>true</param-value>
</context-param>