locked
ADFS- redirecting unauthorised users to an error message RRS feed

  • Question

  • Hi,

    We have two ADFS servers and two ADFS proxy servers installed in our environment. We integrate applications with ADFS for SSO, so that users login using their AD credentials instead of using seperate credentials for every application. 

    One of the application is integrated with ADFS for sso and it is working fine. Later, the requirement was to create a group in AD and members of that group only should able to login. We did that and now members of the group can sucessfully login and for the non-members an error page pops up saying "Missing SAML attributes" and they cannot login. Now the requirement is, to redirect unauthorised users to an error message saying "you are not allowed access". Spoke to the vendor about it but he says, we got to redirect ADFS servers to the error message, nothing can be done from application side. And this is SP initiated.

    Wednesday, June 28, 2017 7:52 PM

Answers

  • Users using SAML applications with SP-initiated flow are redirected to the applications even if they do not have a valid token. AFAIK, that's by design in SAML.

    If the application were using WS-Fed or if the application is using SAML IDP-initiated sign-on then you could customize an error message at the ADFS level.

    For the other cases (including yours), the application can customize their code in a such a way it is more "user friendly". But there isn't much we can do at the ADFS level in term of error message.


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.



    Thursday, June 29, 2017 2:14 AM
  • But that's the thing :) I believe that it what it does. Unfortunately, in a SAML SP-initiated flow, if you don't get a token, you are redirected to the application anyways. And it is up to the application to display an error. 

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Thursday, June 29, 2017 4:10 PM

All replies

  • Users using SAML applications with SP-initiated flow are redirected to the applications even if they do not have a valid token. AFAIK, that's by design in SAML.

    If the application were using WS-Fed or if the application is using SAML IDP-initiated sign-on then you could customize an error message at the ADFS level.

    For the other cases (including yours), the application can customize their code in a such a way it is more "user friendly". But there isn't much we can do at the ADFS level in term of error message.


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.



    Thursday, June 29, 2017 2:14 AM
  • You might simply deny issuing the token, if you change your authorization rules for the specific relying party / service provider than the user won't get a SAML token and will get an error suggesting he/she is not authorized. Would that be OK for you?

    Martin

    Thursday, June 29, 2017 1:41 PM
  • But that's the thing :) I believe that it what it does. Unfortunately, in a SAML SP-initiated flow, if you don't get a token, you are redirected to the application anyways. And it is up to the application to display an error. 

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Thursday, June 29, 2017 4:10 PM
  • Hi martin,

    If I deny the token, even members of the group won't be able to login then. After a lot of research I found, it is the application where certain script or code can be written in the web config file to display an error. As I have access only to the IDP side, I cannot control an error. This is what I think. Please correct me, If I am wrong.

    Thanks for your help Martin.


    Nidhi sharma

    Thursday, June 29, 2017 6:17 PM
  • I too think the same Pierre.


    Nidhi sharma

    Thursday, June 29, 2017 6:18 PM
  • Funny though, I just checked in mine lab and I get an error / unauthorized access page on the ADFS. Are you sure?

    Did try both idpinitiatedsignon as well as idpinitiatedsignon?logintorp=relying-party-id and both showed me the uauthorized access page on the ADFS.

    Martin

    Friday, June 30, 2017 7:29 AM
  • Drat,

    I need to start reading before writing :), of course you are correct, in SP initiated flow you'll get redirected. Sorry, mine fault.

    Martin

    Friday, June 30, 2017 7:36 AM
  • yea... Martin, I have already customized the error at IDP side. My question was-"how to do the same at SP side?". I ma using SP initiated flow.

    Thanks


    Nidhi sharma

    Friday, June 30, 2017 12:12 PM