locked
Redirect to RP error page on fauly SAML token RRS feed

  • Question

  • Hi,

    We are using a third party IDP to authenticate users but on that IDP a user can click Cancel.

    The SAML response back in that case is SAML response status urn:oasis:names:tc:SAML:2.0:status:Requester which ADFS will just throw an error on since it was not successful. Is there any setting for this to redirect to an error page on the RP or even pass-through the "faulty" token?

    Or do we have to ask the IDP to send a Success message so it can actually pass-through and we can handle it code-wise on the RP?

    Monday, July 2, 2018 8:47 AM

All replies

  • Hi,

    We are using a third party IDP to authenticate users but on that IDP a user can click Cancel.

    The SAML response back in that case is SAML response status urn:oasis:names:tc:SAML:2.0:status:Requester which ADFS will just throw an error on since it was not successful. Is there any setting for this to redirect to an error page on the RP or even pass-through the "faulty" token?

    Or do we have to ask the IDP to send a Success message so it can actually pass-through and we can handle it code-wise on the RP?

    Its standard SAML behaviour. 
    If the user hits Cancel and not get a "urn:oasis:names:tc:SAML:2.0:status:Success" from the IdP all SP should deny the Response since its incomplete/not OK. 

    What you can try to do is to catch that somehow on the way, but I think that might cause other issues.
    There is no easy way to filter that out in ADFS as far as I know. 

    So please talk to the IdP, but the IdP provider should not mess with those stuff either since it might open up some SAML vulnerabilities. 

    Monday, July 2, 2018 12:13 PM
  • I Guess ,

    ADFS 2.0 and 2.1 have customization's possible to certain extent.

    Which version of ADFS you are using ?

    Wednesday, July 4, 2018 1:06 PM
  • Hi,

    We are using a third party IDP to authenticate users but on that IDP a user can click Cancel.

    The SAML response back in that case is SAML response status urn:oasis:names:tc:SAML:2.0:status:Requester which ADFS will just throw an error on since it was not successful. Is there any setting for this to redirect to an error page on the RP or even pass-through the "faulty" token?

    Or do we have to ask the IDP to send a Success message so it can actually pass-through and we can handle it code-wise on the RP?

    Its standard SAML behaviour. 
    If the user hits Cancel and not get a "urn:oasis:names:tc:SAML:2.0:status:Success" from the IdP all SP should deny the Response since its incomplete/not OK. 

    What you can try to do is to catch that somehow on the way, but I think that might cause other issues.
    There is no easy way to filter that out in ADFS as far as I know. 

    So please talk to the IdP, but the IdP provider should not mess with those stuff either since it might open up some SAML vulnerabilities. 

    That's what I thought, thanks for the reply.

    Kinda ridiculous that there is no way to handle error on requests to either redirect or customise the error page. I guess we'll have to go to some other product that allows more customisation.

    Friday, July 6, 2018 7:25 AM
  • I Guess ,

    ADFS 2.0 and 2.1 have customization's possible to certain extent.

    Which version of ADFS you are using ?

    We are using Server 2016 so ADFS 4.0 which doesn't allow the same customisation as ADFS 2.0 unfortunately.
    Friday, July 6, 2018 7:26 AM