Forum Discussion
ADFS Custom 401 Error Page for denied Access
Hi derSchweiger,
it is possible to display a custom 401 error page if a user is not permitted to access a certain SAML/OIDC application due to the applied access policy.
To do this, you need to configure a custom error page in ADFS:
1. Open the ADFS Management Console.
2. Go to Policies > Claims Providers > Edit Claim Provider for the claim provider that you want to configure.
3. In the Claims Provider Properties dialog box, go to the Advanced tab.
4. In the Custom Error Pages section, click Add.
5. In the Add Custom Error Page dialog box, enter the following information:
Error Code: 401
6. Error Page URL: The URL of your custom error page.
7. Click OK to save your changes.
Once you have configured a custom error page, you need to make sure that the application that you are trying to access is configured to use the ADFS claims provider:
1. Open the application's configuration file.
2. Locate the section that configures the ADFS claims provider.
3. Add the following attribute to the ClaimsProvider element:
custom-error-page="https://YOUR_ADFS_SERVER/adfs/ls/idpinitiatedsignon.aspx?error-code=401"
Replace YOUR_ADFS_SERVER with the URL of your ADFS server.
Once you have made this change, save the configuration file and restart the application.
When a user tries to access the application and they are not permitted to access it, they will be redirected to the custom error page that you configured in ADFS:
<!DOCTYPE html>
<html>
<head>
<title>Access Denied</title>
</head>
<body>
<h1>Access Denied</h1>
<p>You are not permitted to access this application.</p>
</body>
</html>
Please click Mark as Best Response & Like if my post helped you to solve your issue.
This will help others to find the correct solution easily. It also closes the item.
If the post was useful in other ways, please consider giving it Like.
Kindest regards,
Leon Pavesic
LeonPavesic Thank you for your answer but are you sure that this applies to newest ADFS version?
1. Open the ADFS Management Console.
2. Go to Policies > Claims Providers > Edit Claim Provider for the claim provider that you want to configure.
I think you are talking about "Claims Provider Trust"?
The option to access "Properties" is greyed out.
Another approach I've tried is to configure the "ErrorPageAuthorizationErrorMessage" parameter with PowerShell:
Set-AdfsGlobalWebContent -ErrorPageAuthorizationErrorMessage "You have received an Authorization error. Contact IT for assistance."
But I cannot find any difference after setting this parameter.
Hi derSchweiger,
Yes, the steps I provided apply to the newest ADFS version (4.0). However, I apologize for the confusion about the "Claims Provider Trust" dialog box.
If the "Properties" option is grayed out for you, it is because you are trying to edit a built-in claims provider. Built-in claims providers cannot be edited. You need to create a new claims provider trust and then configure it to use your custom error page.To create a new claims provider trust in ADFS, follow these steps:
Open the ADFS Management Console.
Go to Trust Relationships > Claims Provider Trusts.
Click Add Claim Provider Trust.
On the Welcome page, click Start.
On the Select Data Source page, select Enter data about the claims provider manually.
On the Specify Claim Provider Type page, select the type of claims provider that you want to create.
On the Specify Claim Provider Details page, enter the following information:
- Claim provider name: The name of the claims provider.
- Claim provider identifier: The identifier of the claims provider. This is a unique value that is used to identify the claims provider to ADFS.
- Metadata URL: The URL of the claims provider's metadata. This is optional, but it is recommended.
- Supported identity types: The types of identities that the claims provider supports.
On the Configure Claims Issuance page, select the claims that you want to issue to users when they authenticate to the claims provider.
On the Configure Claims Acceptance page, select the claims that you want to accept from the claims provider.
On the Relying Party Trusts page, select the relying party trusts that you want to trust the claims provider.
On the Ready to Add Trust page, review the settings and then click Add.
Once you have created a new claims provider trust, you can configure it to use your custom error page by following the steps in my previous response.
Please click Mark as Best Response & Like if my post helped you to solve your issue.
This will help others to find the correct solution easily. It also closes the item.If the post was useful in other ways, please consider giving it Like.
Kindest regards,
Leon Pavesic
- Please correct me if I'm wrong but you can't create an AD DS Claims Provider Trust on your own?
Hi derSchweiger,
Please note that the ability to customize error pages for individual Claims Provider Trusts is not a standard feature in ADFS. Customizing error handling and messaging in your applications is usually the recommended approach for providing a better user experience when access is denied.
If you have specific requirements or limitations within your environment, you may want to consult Microsoft's official documentation or consider seeking assistance from Microsoft Support to explore additional customization options.Please click Mark as Best Response & Like if my post helped you to solve your issue.
This will help others to find the correct solution easily. It also closes the item.If the post was useful in other ways, please consider giving it Like.
Kindest regards,
Leon Pavesic
