Configure a SAML2 Response for Authentication Failure

Federation Guides › Partnership Federation Guide › Single Sign-on Configuration › Configure a SAML2 Response for Authentication Failure

Configure a SAML2 Response for Authentication Failure

You can use this process to configure a non-assertion response to the Service Provider on authentication failure. When a SAML 2.0 authentication request is successful, the response to the Service Provider carries with it the authentication assertion. A rejected authentication request previously only resulted in the end user getting an error message. The Service Provider got no notification of the failed status. Because control returns to the Service Provider, the Service Provider can determine whether to redirect the user, or take any other appropriate action.

Important! For this feature to work, the Policy Server, the Web Agent, and the Web Agent Option Pack are all required to be at SM r12.52.

The following diagram depicts the steps required to configure this functionality:

SM--VISIO--Negative Auth Response(2)

The process of configuring a response to the Service Provider on authentication failure includes the following procedures:

Define a Response Specifying the Negative Authentication Response Attribute

Begin by defining a response using the WebAgent-OnReject-eGovNegResponse attribute type. Defining a response presupposes a defined domain.

Follow these steps:

Navigate to Policy, Domain, Responses.
Click Create a Response.
Select an appropriate domain, or create a new one.
Click Next.
Enter a name and description (optional) for this response in the General section.
Select the appropriate agent type, usually a SiteMinder web agent.
Click Create Response Attribute in the Attribute List section.
Select WebAgent-OnReject-eGovNegResponse from the drop-down list in the Attribute Type section.
Select Use Relative Target or enter a web server name in the Attribute Fields section.
(Optional) Select Use SSL Connection.
Note: The selections that you make in this section are the basis for the script that is displayed in the pane in the Advanced section. See the online help for more information.
Select Cache Value Recalculate Value in the Attribute Caching section.
Click Ok to return to the Create Response: Define Response dialog.
Click Finish.

You have defined a response with the appropriate attribute to generate a response to the SP when an authentication fails.

Configure a Basic or Forms Authentication Scheme

You can configure a Basic or Forms scheme to generate a response on authentication failure to the SP.

Note: The following procedure assumes that you are creating an object. You can also copy the properties of an existing object to create an object.

Follow these steps:

Click Infrastructure, Authentication.
Click Authentication Schemes.
The Authentication Schemes page appears.
Click Create Authentication Scheme.
Verify that the Create a new object of type Authentication Scheme is selected.
Click OK
The Create Authentication Scheme page appears.

Note: Click Help for descriptions of settings and controls, including their respective requirements and limits.
Enter a name and protection level.
Select Basic or Forms Template from the Authentication Scheme Type list.
Click Submit.
The authentication scheme is saved and can now be assigned to a realm.

Configure a Rule for Authentication Event Actions

You can configure a rule to control actions that occur when users attempt to gain access to a resource. For a full SAML 2.0 response on authentication failure, select the OnAuthReject action.

The realm must be able to process authentication events. Verify that the Process Authentication Events option is selected. For information about how to create a realm, see the next topic.

To create a rule

Click Policies, Domain.
Click Rules.
The Rules page appears.
Click Create Rule.
The Create Rule: Select Domain page appears.
Select a domain from the list, and click Next.
The Create Rule: Select Realm page appears.
Select the realm that includes the resources that you want the rule to protect, and click Next.
The Create Rule: Define Rule page appears.

Note: If a realm does not exist for the resources that you want to protect, a rule cannot be created to protect those resources.
Type the name and a description of the rule.
Note: Click Help for descriptions of settings and controls, including their respective requirements and limits.
Select Authentication events.
The Action List populates with authentication events.

Note: The Resource field is disabled because an authentication event applies to the entire realm. The Allow Access and Deny Access options are also disabled as they do not apply to authentication events.
Select the OnAuthReject action.
(Optional) In the Advanced section, set time restrictions and or active rule settings.
Click Finish.
The rule is saved and applied to the specified realm and resource.

More information:

Configure a Realm

Advanced Rule Options

Authentication Events

Map the Rule Using the OnAuthReject Actiton to the Appropriate Response

Associate the rule you created using the OnAuthReject action with the eGovNegResponse attribute in a policy.

Follow these steps:

Navigate to Policies, Domain Policies.
Select a policy.
Navigate to Rules
Verify that the rule you created with the OnAuthReject action is is in the list of rules.
Click Add responses next to that rule.
Select the response in you specified with the eGovNegResponse attribute type.
Save and exit.

You have associated your rule with the appropriate response.

Configure an IdP-to-SP Partnership to Support Negative Authentication Response

You enable a negative authentication response in the SSO configuration step of the IdP-to-SP partnership configuration.Select the Enable Negative Authentication Response check box.

See Single-Sign-on Configuration for further information.