Forum Discussion
ADFS Custom 401 Error Page for denied Access
Hi,
is it possible to display a custom 401 error page if a user is not permitted to access a certain SAML/OIDC application due to the applied access policy?
Currently, if the user tries to access an application, he gets redirected to ADFS. After authentication, the user gets redirected back to the application although ADFS has not generated a token due to the configured access policy denies access. After that, the application displays a generic error message like "Unknown Login Error. Please try again".
Current flow:
- User accesses application
- Gets redirected to ADFS
- Authenticates in ADFS (user is not permitted to authenticate)
- Gets redirected back to the application
- Gets a generic error message from the application
Is there any way to configure a custom error message in ADFS to change this behaviour? I don't want to redirect the user back to the application if he is not allowed to access it. In my opinion, the following flow would be much user friendly:
- User accesses application
- Gets redirected to ADFS
- Authenticates in ADFS (user is not permitted to authenticate)
- ADFS displays an error message (You are not allowed to use this application)
Any help is appreciated!
Hi derSchweiger,
it is possible to display a custom 401 error page if a user is not permitted to access a certain SAML/OIDC application due to the applied access policy.
To do this, you need to configure a custom error page in ADFS:
1. Open the ADFS Management Console.
2. Go to Policies > Claims Providers > Edit Claim Provider for the claim provider that you want to configure.
3. In the Claims Provider Properties dialog box, go to the Advanced tab.
4. In the Custom Error Pages section, click Add.
5. In the Add Custom Error Page dialog box, enter the following information:
Error Code: 401
6. Error Page URL: The URL of your custom error page.
7. Click OK to save your changes.
Once you have configured a custom error page, you need to make sure that the application that you are trying to access is configured to use the ADFS claims provider:1. Open the application's configuration file.
2. Locate the section that configures the ADFS claims provider.
3. Add the following attribute to the ClaimsProvider element:custom-error-page="https://YOUR_ADFS_SERVER/adfs/ls/idpinitiatedsignon.aspx?error-code=401"
Replace YOUR_ADFS_SERVER with the URL of your ADFS server.Once you have made this change, save the configuration file and restart the application.
When a user tries to access the application and they are not permitted to access it, they will be redirected to the custom error page that you configured in ADFS:
<!DOCTYPE html> <html> <head> <title>Access Denied</title> </head> <body> <h1>Access Denied</h1> <p>You are not permitted to access this application.</p> </body> </html>Please click Mark as Best Response & Like if my post helped you to solve your issue.
This will help others to find the correct solution easily. It also closes the item.If the post was useful in other ways, please consider giving it Like.
Kindest regards,
Leon Pavesic
LeonPavesic Thank you for your answer but are you sure that this applies to newest ADFS version?
1. Open the ADFS Management Console.
2. Go to Policies > Claims Providers > Edit Claim Provider for the claim provider that you want to configure.I think you are talking about "Claims Provider Trust"?
The option to access "Properties" is greyed out.
Another approach I've tried is to configure the "ErrorPageAuthorizationErrorMessage" parameter with PowerShell:
Set-AdfsGlobalWebContent -ErrorPageAuthorizationErrorMessage "You have received an Authorization error. Contact IT for assistance."
But I cannot find any difference after setting this parameter.
Hi derSchweiger,
Yes, the steps I provided apply to the newest ADFS version (4.0). However, I apologize for the confusion about the "Claims Provider Trust" dialog box.
If the "Properties" option is grayed out for you, it is because you are trying to edit a built-in claims provider. Built-in claims providers cannot be edited. You need to create a new claims provider trust and then configure it to use your custom error page.To create a new claims provider trust in ADFS, follow these steps:
Open the ADFS Management Console.
Go to Trust Relationships > Claims Provider Trusts.
Click Add Claim Provider Trust.
On the Welcome page, click Start.
On the Select Data Source page, select Enter data about the claims provider manually.
On the Specify Claim Provider Type page, select the type of claims provider that you want to create.
On the Specify Claim Provider Details page, enter the following information:
- Claim provider name: The name of the claims provider.
- Claim provider identifier: The identifier of the claims provider. This is a unique value that is used to identify the claims provider to ADFS.
- Metadata URL: The URL of the claims provider's metadata. This is optional, but it is recommended.
- Supported identity types: The types of identities that the claims provider supports.
On the Configure Claims Issuance page, select the claims that you want to issue to users when they authenticate to the claims provider.
On the Configure Claims Acceptance page, select the claims that you want to accept from the claims provider.
On the Relying Party Trusts page, select the relying party trusts that you want to trust the claims provider.
On the Ready to Add Trust page, review the settings and then click Add.
Once you have created a new claims provider trust, you can configure it to use your custom error page by following the steps in my previous response.
Please click Mark as Best Response & Like if my post helped you to solve your issue.
This will help others to find the correct solution easily. It also closes the item.If the post was useful in other ways, please consider giving it Like.
Kindest regards,
Leon Pavesic
