Previous Topic: Customize Assertion Processing with the Message Consumer Plug-inNext Topic: Supply SAML Attributes as HTTP Headers


Redirect Users After Failed SAML 1.x Authentication Atempts

If a consumer cannot authenticate a user during a single sign-on transaction, the consumer can redirect that user to a customized URL for further processing.

You can configure several optional redirect URLs for failed authentication. These redirect URLs allow you more control over where a user is redirected. For example, if a user cannot be located in a user store, you can fill in a User Not Found redirect URL.

The Status Redirect URLs and Modes are in the Additional Configuration section of the authentication dialog. The redirect URLs are for specific status conditions:

If any of the conditions occur, redirect URLs can send the user to an application or a customized error page for further action.

Note: Configuring redirect URLs is not required.

If you do not configure redirect URLs, standard CA SiteMinder® processing takes place. How a failed authentication is handled depends on the configuration of the authentication scheme.

To configure status redirect URLs

  1. Navigate to the page for a SAML Artifact or SAML POST authentication scheme.
  2. In the Status Redirect URLs and Modes section, fill in a URL for one or more of the fields.

    Click Help for descriptions of settings.

    Federation Web Services handles the errors by mapping the authentication reason into one of the configured redirect URLs. The user can be redirected to that URL to report the error.

  3. Select one of the following modes:
  4. Click OK to save your changes.

Note: These redirect URLs can be used with the CA SiteMinder® Message Consumer Plug-in for further assertion processing. If authentication fails, the plug-in can send the user to one of the redirect URLs you specify.