Saml2

Troubleshooting
, , , , ,
#1

Hi All,

Currently we are using AM as IDP and xyz app as SP.We have done a SAML federation between them.
When the xyz app launch application page xyz.abc.com --the page will be redirect to FR AUth journey page with the saml fedrated.If the user doesnt login for about 15 mins the page will give an error server error unexpected error due to login.

Can you please suggest how to tackle the below scenrio

1)How we can provide a proper error messgae as invalid session message and asking them to redirect to applciation login URL.
2)how to configure the SAML error in this scenrio.

#2

Hi Saichandra, I see this issue has also been raised through a support ticket, affirming your use case aligns with the solution outlined in KB article Federation fails with Unable to get AuthnRequest from cache, sending error response in AM, which involves using IdP initiated SSO or writing a custom IdP Adapter to handle invalid session errors and redirect users to a custom login page:

  • Timeout: Use the IdP initiated SSO to avoid the problem altogether as you cannot increase the cache indefinitely to capture all these instances. Alternatively you can write a custom IdP Adapter that would catch this scenario and, instead of returning an assertion, would interrupt the federation flow and redirect the user to a custom page. The custom page would explain there was an error, ask the user to try to log in again and provide the link to the spSSOInit.jsp URL as shown in the first bullet.

I hope you were able to get your adapter working as expected.
I wanted to share this information with the community in hopes that it will help others facing a similar challenge.

To write a custom IdP Adapter please see IdP Adapter and the SAML2 IdP Adapter JS script.

You will need to decide whether you are going to use the default com.sun.identity.saml2.plugins.DefaultIDPAdapter class or write a Java class that implements the org.forgerock.openam.saml2.plugins.IDPAdapter interface, and override a plugin point here IDP adapter plugin :: AM 7.2.2, to return the function relayState, and configure a redirect using the relay state, as outlined here:

How do I redirect to a specific page after a successful IdP or SP initiated login in Identity Cloud or AM (All versions)?

You can also implement an IDP adapter script that determines whether the authentication journey should be redirected based on the evaluation of a policy.

Warm regards,

Sheila