If a Service Provider cannot authenticate a user during a single sign-on transaction, that user can be redirected to a customized URL for further processing.
You can configure several optional redirect URLs for failed authentication. If the assertion is not valid, the redirect URLs allow finer control over redirecting the user. For example, if a user cannot be found in a user directory, specify a User Not Found redirect URL. This URL can send the user to a registration page.
You can configure the following URLs:
Note: Configuring redirect URLs is not required.
Some of the redirect URLs are for specific status conditions. These conditions include a user is not found, the single sign-on message is invalid, or the user credentials are not accepted. Other redirect URLs handle HTTP 500, 400, 405, and 403 error conditions. If any of the conditions occur, redirect URLs can send the user to an application or a customized error page for further action.
Redirection to these customized URLs can take place only when enough information about the Identity Provider is provided to the Service Provider. For example, if during a request there is an issue in retrieving certificate information, the user is redirected to Server Error URL specified. However, if a request contains an invalid IdP ID, no redirection happens and the HTTP error code 400 is returned to the browser.
To configure optional redirect URLs
Click Help for the field descriptions.
Federation Web Services handles the errors by mapping the authentication reason into one of the configured redirect URLs. The user can be redirected to that redirect URL to report the error.
Note: These redirect URLs can be used with the Message Consumer Plug-in for further assertion processing. If authentication fails, the plug-in can send the user to one of the redirect URLs you specify.
Copyright © 2014 CA.
All rights reserved.
|
|