Previous Topic: Supply SAML Attributes as HTTP HeadersNext Topic: Request Processing with a Proxy Server at the SP


Specify Redirect URLs for Failed SAML 2.0 Authentication

If a Service Provider cannot authenticate a user during a single sign-on transaction, that user can be redirected to a customized URL for further processing.

You can configure several optional redirect URLs for failed authentication. If the assertion is not valid, the redirect URLs allow finer control over redirecting the user. For example, if a user cannot be found in a user directory, specify a User Not Found redirect URL. This URL can send the user to a registration page.

You can configure the following URLs:

Note: Configuring redirect URLs is not required.

Some of the redirect URLs are for specific status conditions. These conditions include a user is not found, the single sign-on message is invalid, or the user credentials are not accepted. Other redirect URLs handle HTTP 500, 400, 405, and 403 error conditions. If any of the conditions occur, redirect URLs can send the user to an application or a customized error page for further action.

Redirection to these customized URLs can take place only when enough information about the Identity Provider is provided to the Service Provider. For example, if during a request there is an issue in retrieving certificate information, the user is redirected to Server Error URL specified. However, if a request contains an invalid IdP ID, no redirection happens and the HTTP error code 400 is returned to the browser.

To configure optional redirect URLs

  1. Navigate to the SAML 2.0 authentication scheme you want to modify.
  2. Select SAML 2.0 Configuration, Advanced.
  3. In the Status Redirect URLs and Modes section, fill in a URL for one or more of the fields.

    Click Help for the field descriptions.

    Federation Web Services handles the errors by mapping the authentication reason into one of the configured redirect URLs. The user can be redirected to that redirect URL to report the error.

  4. Select one of the following modes:
  5. Click OK to save your changes.

Note: These redirect URLs can be used with the Message Consumer Plug-in for further assertion processing. If authentication fails, the plug-in can send the user to one of the redirect URLs you specify.