locked
Looking for documentation about SP-initiated DENY claim RRS feed

  • Question

  • Hi,

    Using ADFS v.3.0 on 2012 R2, we are establishing a relying party trust with a service provider who supports SP-initiated authentication flow.  The issuance auth rules on this RP specify that only members of a specific security group are allowed to obtain a token for the application.  Users who are members of the group are authenticated successfully.  All other users are issued a DENY token, but it also results in an endless loop for the end user's browser, rather than presenting a proper error message.

    If I decode our SAML response to the SP, I can see the "RequestDenied" status code inside.  The SP is asking me why we are bothering to send that at all, and contend we should instead display an 'access denied' page at that point.

    My response to them was that we can only display an 'access denied' page when the authentication is initiated from the IdP.  My understanding is that if they initiate the auth flow (SP), then it is the responsibility of their application to properly interpret the status code and render an appropriate error message.

    1) Please advise if my understanding is correct?

    2) If yes, then can anyone provide a statement or document which clarifies this for the service provider?  I'm having difficulty locating as such.

    Thank you for your time!

    -DaveC

    Wednesday, August 8, 2018 8:20 PM

Answers

  • 1 - Yes. If you do an SP-Initiated sign-on with SAML, the application is in charge to displaying an error message and should not redirect back to the IDP-STS. 

    2 - Maybe http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf Section: 3.4.1.4 Processing Rules cover that part:

    If the responder is unable to authenticate the presenter or does not recognize the requested subject, or if prevented from providing an assertion by policies in effect at the identity provider (for example the intended subject has prohibited the identity provider from providing assertions to the relying party), then it MUST return a <Response> with an error <Status>

    Then urn:oasis:names:tc:SAML:2.0:status:RequestDenied is a valid response. 


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.



    Friday, August 10, 2018 1:16 PM

All replies

  • 1 - Yes. If you do an SP-Initiated sign-on with SAML, the application is in charge to displaying an error message and should not redirect back to the IDP-STS. 

    2 - Maybe http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf Section: 3.4.1.4 Processing Rules cover that part:

    If the responder is unable to authenticate the presenter or does not recognize the requested subject, or if prevented from providing an assertion by policies in effect at the identity provider (for example the intended subject has prohibited the identity provider from providing assertions to the relying party), then it MUST return a <Response> with an error <Status>

    Then urn:oasis:names:tc:SAML:2.0:status:RequestDenied is a valid response. 


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.



    Friday, August 10, 2018 1:16 PM
  • Pierre - that reference is much appreciated - thank you very much for your help.

    -DaveC

    Friday, August 10, 2018 7:34 PM