SAML SSO Error Handling in WSO2 Identity Server

This post explains on how to handle SAML SSO related errors in WSO2 Identity Server 5.2.0. In the SAML SSO flow, errors can be occurred due to several reasons. Some of them can be;

  • Signature verification failure of the SAML request or Response.
  • Mismatching ACS URLs in the request and the configuration.
  • Authentication failure in request path authentication.

The default behavior of the Identity Server is to redirect to the samlsso_notification.do page with the error information. And the page will display the error content on the page.

Screen Shot 2016-07-13 at 3.10.07 AM

Note that the error information will be sent to the page as URL params. A typical response URL will look like the following;

https://localhost:9443/authenticationendpoint/samlsso_notification.do?status=Error+when+processing+the+authentication+request%21&statusMsg=Please+try+login+again.&SAMLResponse=xxxxx&ACSUrl=http%3A%2F%2Fsamplesp%2F

Ideally, this error should be conveyed to the samlsso_notification.jsp. in the authentication endpoint. The following gist shows a modified samlsso_notification.jsp to POST the SAML response to ACS URL. However, this will only happen if the request URL consist with both SAML response and the ACS URL. Otherwise the page will display a generic error message. If needed, the page can be further modified to POST a static SAML response to a predefined ACS URL if those information cannot be extracted from the URL. But this will be not very straightforward when there are multiple ACS URLs since we won’t have enough information to determine from which service provider the login request initiated from.

In order to apply these changes to the product, either you can replace samlsso_notification.jsp in exploded authenticationendpoint.war directory located at [IS_HOME]/repository/deployment/server/webapps directory or you can checkout the source from [1], make the changes to samlsso_notification.jsp and build it. Once the source is built, you can drop the new authenticationendpoint.war file to the webapps directory. If there’s already a directory for authenticationendpoint, you’ll have to delete the directory as well.

Note: Even though this cannot be done to IS 5.1.0 out-of-the-box. By applying the fix mentioned in [2] you can achieve this in IS 5.1.0.


[1] – https://github.com/wso2/carbon-identity-framework/tree/release-5.2.0/components/authentication-framework/org.wso2.carbon.identity.application.authentication.endpoint
[2] – https://wso2.org/jira/browse/IDENTITY-4526

Advertisements