locked
ADFS Access Control Policy RRS feed

  • Question

  • I am trying to configure an Access Control Policy for a RP that will allow users from specific groups to be authorized to access the service provider. ADFS enforces the authorization but I am presented with a cryptic RequestDenied error message coming from the Relying Party instead of ADFS. I want to configure a custom authorization error message that will be presented to the user from ADFS and not from the service provider. I am not sure why ADFS redirects the user back to the service provider which displays the error message (a 500 Internal Server Error message). I expected the error to come from the ADFS immediately after logging in which would allow me to display my customized error message. Do I need to do anything else than just associating the Access Control Policy with the RP? Does it make a difference whether the application is SAML-based or WS-Fed-based? In this case, it is SAML.


    Sunday, October 7, 2018 10:50 AM

Answers

  • In the SP-initialed flow, the application has to deal with the absence of proper SAML response. Not the IDP.

    So you will have to configure your application to actually read the SAML response and display an error message accordingly. 


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Tuesday, October 9, 2018 1:27 PM

All replies

  • In the SP-initialed flow, the application has to deal with the absence of proper SAML response. Not the IDP.

    So you will have to configure your application to actually read the SAML response and display an error message accordingly. 


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Tuesday, October 9, 2018 1:27 PM
  • Unfortunately, the relying party has this generic message for all its federations which means that customization from their side would not be possible. Thanks anyway for your reply!
    Tuesday, October 9, 2018 1:29 PM