WSO2 Identity Server Custom error message

Question

We are using WSO2 Identity Server 5.8.0.

We have made an extension to the org.wso2.carbon.identity.application.authenticator.samlsso.manager.DefaultSAML2SSOManager located in the project identity-outbound-auth-samlsso

Basically we need to add some checks to the SAML Response when we use external IdPs based on SAML authentication.

We made all the checks and all works good. We are facing one little issue. In some cases, when some access errors happem, we need to customize the error message to the user. I saw here I saw it's possible to customize error message and it's possible to configure WSO2 IS in order to pass error code in request param. So, what I wanted to do is to generate custom error code when one error happens. I tried the previous configuration and then in the org.wso2.carbon.identity.application.authenticator.samlsso.SAMLSSOAuthenticator class I did the following

@Override
protected void processAuthenticationResponse(HttpServletRequest request, HttpServletResponse response, AuthenticationContext context) throws AuthenticationFailedException {
    try{
        //Original code
    } catch (SPIDCheckException spe) {
        // whenever the code reaches here the subject identifier will be null. Therefore we can't pass AuthenticatedUser object with the exception. 
        AuthenticationFailedException afe = new AuthenticationFailedException(spe.getMessage(), spe);
        afe.setErrorCode("MY_CUSTOM_ERROR_CODE");
        throw afe;          
    } 
}

I was expecting that with the previous configuration my custom cose would apper in request parameter but it's not so. So I had to find a workaround; my solution was to add a cookie to the response but I don't like it.

Is there any chance to propagate a custom error code from SAMLSSOAuthenticator to the login error JSP page in a query string param?

Am I missing anything?

Thank you

Angelo

Answer 1

         context.setProperty("AuthErrorCode", "666");
         context.setProperty("AuthErrorMessage", "extended class error message");

Set above in side the processAuthenticationResponse method's catch block. Parameters will be passed to the retry page URL params.

EDIT to cater new details of the comment.

The flow is as 'SAML -> SAML'. But the above suggested improvement was only introduced in 'Oauth -> SAML/Oauth' flows. This was initially introduced to 5.3.0. But, I've just checked 5.8.0 as well, and it's there.

The architecture is like this.

Inbound Authenticator -> Framework -> Outbound Authenticator

In the original improvement, WSO2 has fixed the framework component and inbound Oauth components. So that anyone can set those properties to the framework context. And those will be propogated to the Inbound side. And if the inbound is Oauth, this will work by default as Oauth Inbound authenticator is also being addressed fro the same improvement.

Since your inbound is not Oauth, but SAML, your default SAML inbound authenticator doesn't know how to read the set properties from the framework's context object.

If you want to achieve this, you need to write a custom 'Inbound SAML Authenticator' as well. (As of now you've written an outbound SAML authenticator. We need that as well to populate the error message.)

Extend the existing SAML inbound authenticator and write a new authenticator to read and set the error message.

Improvement