I’m using keycloak as an SP to ADFS. Things work well until we encounter a failure response from ADFS like the following:
<samlp:Status> <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Requester"> <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy" /> </samlp:StatusCode> </samlp:Status>
In these cases (the nameid error is just an example, there are other statuses that cause this), keycloak redirects to the idp, receives the same error to the assertion consumer, and loops until stopped. I’ve looked through the docs, but it’s not clear to me where error responses can be handled. I’d like to display a simple failure page rather than redirect to the IDP again. Can anybody shed some light on this for me?