Users unnecessarily prompted for external contract card when authenticating to remote SAML identity provider

Linux Access Gateway setup to protect internal Web applications. All working fine in that users, accessing the application, are directed to the Identity Server login page to submit their credentials.

Administrator wanted to extend the authentication framework, so that users accessing a certain application would not authenticate against the local Identity server, but a remote SAML2 enabled Identity server. In order to do this, an external contract needs to be defined at the local identity server (with the same URI as the contract defined at the remote identity server). This contract must also be defined as the contract to be executed in the SAML2 relationship between the two SAML providers.

After setting up everything, users accessing the applications requiring authentication at the remote SAML identity server are manually asked to select the authentication card presented at the local identity server first before being asked for their credentials at the remote identity server. This is incorrect in that the authentication request should be sent directly to the remote identity server in such a way that no user interaction is required at the local server.

Do not include a method in the external contract.

When creating the external contract on the local Identity server, simply select the 'external contract' flag but do NOT include any methods within that contract. WHen a method is defined, the identity server will try and execute it locally, hence the unnecessary prompt to select the card in the above use case.