Share all details related to your problem, including any error messages you may have received.
When user login with SSO he can be able to login irrespective of status(Inactive/Active) but here who status is inactive he should not login to IIQ and he should redirect forbidden page (or) Simply display error message on login page.
We have configured SAML Based Single Sign-On (SSO) but here we are not able to redirect forbidden page (or)display error message on login page.
Could you please help us with the configuration how we can do it?
Hi Maruthi,
How I would solve this - first I would change the SSO correlation rule to correlate only to active identities. This will prevent inactive identities from being able to login. In this case user whenever tries to login will see standard IIQ login screen.
This can be changed as it’s only xhtml file containing form to disable non SSO authentication (if your company/customer allows it). That would be the simplest solution.
Otherwise you would need to play around with redirection js script to redirect depending on the identity state but I am personaly not sure if this would be simple/possible without quite significant development on UI side.
Thanks for the reply, Actually I did changes in SAML Correlation that if user is status is active then it will return identity like this it restricting SSO for inactive users but the thing here is if user status is inactive it will fail SSO and landing in login page to enter credentials.
Is it possible from the SAML rule to redirect to forbidden page rather then going UI. How we can redirect can help me with this if you know?
Honestly I don’t know if you can configure different redirection in this case but what I believe would be possible:
if you take a look on $TOMCAT_HOME/webapps/identityiq/ui/loginInclude.xhtml file - this is the page which is displayed after not successfull try of SAML authentication (when no identity is returned).
You can see some of blocks are conditional - so I would try to create conditional block that will display in this case. (for example based on some session variable you can set during SSO Correlation rule execution).
Keep in mind to not create an automatic loop. For instance SSO via Entra ID and redirect the inactive users to the Entra ID Login page. You can add an ‘invalid’ login page with a link to the SSO login page
That’s good option but if Maruthi needs to still be able to use prompt login then he would need to handle whole authentication form in his custom page anyway.
If the SSO Correlation rule does not return a valid identity, it will redirect to promptLoginUrl. So there is no need to redirect it from the rule directly, but have the promptLoginUrl do the work for you and redirect users to any other page to your liking.
By Default the promptLoginUrl is set to /login.jsf?prompt=true, hence it will allow you to login without SSO.
Returning NULL will redirect the user to the URL specified in promptLoginUrl. OOTB this wlll be /login.jsf?prompt=true. The question here is how to change the OOTB redirect to /login.jsf?prompt=true
So OOTB returning nothing does not fit the requirement
If the SSO Correlation rule does not return a valid identity, it will redirect to promptLoginUrl. So there is no need to redirect it from the rule directly, but have the promptLoginUrl do the work for you and redirect users to any other page to your liking.
By Default the promptLoginUrl is set to /login.jsf?prompt=true, hence it will allow you to login without SSO.
The SAMLCorrelation rule tries to find an identity as usual
If the rule does not find a corresponding user, a new Identity named samlErrorIdentity is created. - The identity is name is samlErrorIdentity + new guid - The firstname is samlErrorIdentity - The lastname is new guid - The email and other attributes are set from the SAML assertion. - The user is assigned the SamlToolsPluginErrorUser capability in IIQ.
If the rule encounters a SailPoint GeneralException, a new samlErrorIdentity is created.
If the rule encounters a Java Exception, a new samlErrorIdentity is created.
In all cases above, a matching Custom object is created that also has the error information.
The user is logged into IIQ as the new samlErrorIdentity.
The user is directed to the home page as is normal.
The user has the SamlToolsPluginErrorUser spRight, so the plugin runs. The plugin updates the UI to hide all the elements, then adds the error information and instructions to create a ticket including the new identity name with the guid so you can tie it back. The plugin only updates the UI, it does not run any rules etc.
The help desk resolves the ticket and deletes the samlErrorIdentity identity.
The rules, spright and other objects are standard in this example. Only the UI updates by the plugin are custom.
@Remold
In rare circumstances, an administrator must bypass the sso flow by putting “/login.jsf?prompt=true” to the end of the login rule. By changing the value of promptLoginUrl, In this situation, the administrator will be sent to an user defined page and would not be able to login.
The promptLoginUrl is only used to redirect users when there is no valid session. It does not specify which URL is to be used for the username/password login URL.
An administrator can still use the prompt=true, by just entering the full URL in the browser.
