Federation Security Services Guide › Configure SiteMinder as a SAML 2.0 Service Provider › Specify Redirect URLs for Failed SAML 2.0 Authentication

Specify Redirect URLs for Failed SAML 2.0 Authentication

If a Service Provider cannot authenticate a user during a single sign-on transaction, that user can be redirected to a customized URL for further processing.

You can configure several optional redirect URLs for failed authentication. The redirect URLs allow finer control over where a user is redirected if the assertion is not valid. For example, if a user cannot be located in a user store, you can fill in a User Not Found redirect URL and send the user to a registration page.

You can configure the following:

• Status redirect URLs
• HTTP error redirect URLs

Note: Configuring redirect URLs is not required.

The Status Redirect URLs on the Advanced tab are redirect URLs for specific status conditions. These conditions include a user is not found, the single sign-on message is invalid, or the user credentials are not accepted. If any of the conditions occur, redirect URLs can send the user to an application or a customized error page for further action.

The Additional URL Configuration dialog is where you configure redirect URLs to handle HTTP 500, 400, 405, and 403 error conditions. If any of these errors occur, redirect URLs can send the user to an application or a customized error page for further action.

Redirection to these customized URLs can take place only when enough information about the Identity Provider is provided to the Service Provider. For example, if during a request there is an issue in retrieving certificate information from smkeydatabase, the user is redirected to Server Error URL specified. However, if a request contains an invalid IdP ID, no redirection happens and the HTTP error code 400 is returned to the browser.

To configure optional redirect URLs for failed authentication

1. Select the SAML 2.0 authentication scheme you want to modify.
2. Select Additional Configuration on the Scheme Setup tab.

   The SAML 2.0 Auth. Scheme Properties dialog opens.

3. Select the Advanced tab.
4. Fill in a URL for one or more of the following fields:
   • Redirect URL for the User Not Found status
   • Redirect URL for the Invalid SSO Message status
   • Redirect URL for the Unaccepted User Credential (SSO Message) status

   Note: Click Help for a description of fields, controls, and their respective requirements.

   Federation Web Services handles the errors by mapping the authentication reason into one of the configured redirect URLs, then the user can be redirected to that URL to report the error.

5. Select one of the following redirect modes:
   • 302 No Data
   • HTTP POST
6. Do one of the following:
   • Click OK to save your changes.
   • Select Additional URL Configuration for more redirect URLs that you can configure.
7. If you select Additional URL Configuration, specify a URL for one or more of the following fields:
   • Enable Server Error URL
   • Enable Invalid Request URL
   • Enable Unauthorized Access URL
8. Select one of the following redirect modes:
   • 302 No Data
   • HTTP POST
9. Click OK to save your changes.

Note: These redirect URLs can be used with the SiteMinder Message Consumer Plug-in for further assertion processing. If authentication fails, the plug-in can send the user to one of the redirect URLs you specify.