IBM Verify

IBM Verify

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  Need SAML 2.0 mapping rule to determine whether to continue with federation or redirect elsewhere.

    Posted Fri May 28, 2021 12:27 PM

    Hi,

    I have a SAML federation whose IdP mapping rule has logic to make a web service call.  Depending on the results of that call, I want the mapping rule to make a determination to either continue with the federation logic with the redirect to the partner with the SAML assertion or abort the federation and redirect to another URL to display a message.  How can I accomplish stopping the federation and sending a redirect to another URL?

    Thanks,
    Mike



    ------------------------------
    Michael Lee
    ------------------------------


  • 2.  RE: Need SAML 2.0 mapping rule to determine whether to continue with federation or redirect elsewhere.

    Posted Mon May 31, 2021 04:23 AM
    Hi Michael,

    From IdP mapping rule, to abort the flow you could use the following JS API:  IDMappingExtUtils.throwSTSException(String message)
    it will abort current SSO flow and return an error page to user.

    Best Regards

    Chen Yongming

    ------------------------------
    Yongming Chen
    ------------------------------

    Original Message


  • 3.  RE: Need SAML 2.0 mapping rule to determine whether to continue with federation or redirect elsewhere.

    Posted Mon May 31, 2021 08:08 AM

    If I remember SAML spec correctly, IDP shouldn't terminate SSO flow and present message to user. In event of issue with SSO, an error should be returned to the SP for it to handle. I think this is what will happen if an exception is thrown at IDP. 


    Jon. 



    ------------------------------
    Jon Harry
    Consulting IT Security Specialist
    IBM
    ------------------------------

    Original Message


  • 4.  RE: Need SAML 2.0 mapping rule to determine whether to continue with federation or redirect elsewhere.

    Posted Mon May 31, 2021 09:17 PM
    Hi Jon,

    Yes, you are right, for SP initiated SSO flow, when the flow fails in IdP STS, a SAML response including the error code instead of an Assertion will be sent to the SP; for IdP initiated SSO flow, the error page will be returned from IdP to the user browser.

    Best Regards

    Chen Yongming

    ------------------------------
    Yongming Chen
    ------------------------------

    Original Message


  • 5.  RE: Need SAML 2.0 mapping rule to determine whether to continue with federation or redirect elsewhere.

    Posted Tue June 01, 2021 09:39 AM
    We had a similar situation ourselves. A web service call was being made from the mapping rules that included required data for the SP. When the WS call failed, we needed to halt the process. The problem is the decision to send the user has already been made and the mapping rules are only building the SAML message for the SP. There's no way to change that decision. I check for a null return value and a 200 return code, otherwise an STSModuleException is thrown with a message that this is NOT a STS Module exception.

    else throw STSModuleException("Non 200 return code from 103 call. This is an application error, NOT an ISAM one. Check java logs.")

    This is the only way I've gotten it to work and we've passed this by various IBM folks with the same answer. Good luck to you! It's not graceful, but it does prevent the flow from continuing to send the user along to the SP with incomplete information.

    ------------------------------
    David Gianetti
    ------------------------------

    Original Message


  • 6.  RE: Need SAML 2.0 mapping rule to determine whether to continue with federation or redirect elsewhere.

    Posted Wed June 02, 2021 05:04 PM

    Thank you all for the suggestions.  This is an IdP-initiated federation.  I should have stated that earlier.  It appears that the solutions include throwing an exception within the mapping rule.  This puts a message into the trace.log file, but the user's end result is still an ugly message coming back to the browser.  It looks like it comes from the authn_failed.html template.  Is that the only option, to edit that template displaying something more meaningful?

     

    Thanks,

    Mike

     

    --------------------------------------------------------- NOTICE: The information contained in this electronic mail message is confidential and intended only for certain recipients. If you are not an intended recipient, you are hereby notified that any disclosure, reproduction, distribution or other use of this communication and any attachments is strictly prohibited. If you have received this communication in error, please notify the sender by reply transmission and delete the message without copying or disclosing it. ============================================================================================



    Original Message