Redirect to error page during (or after) attribute mapping

I’ve created some custom SAML attribute mappers, but I want to be able to halt the login process, invalidate the login session and cookies, redirect the user to an error page, and display a custom error.

I tried creating a custom authenticator and adding it to the end of my browser authentication flow, but authenticators all execute before SAML mappers. I want to execute something right after SAML mapping is performed (or during the SAML mapping - if there’s a way to redirect from a mapper, that would work).

Any suggestions?

You could try to define a custom authentication flow containing only the execution of your custom authenticator. Then configure the identity provider to use this flow as “Post Login Flow”. If your custom authenticator is written in JavaScript, you can stop the login process and display an error page using code like this (simplified):

AuthenticationFlowError = Java.type("org.keycloak.authentication.AuthenticationFlowError");
Status =  Java.type("");

function authenticate(context) {

//do your checks here...

//if checks are ok...

//if checks fail...
   var formBuilder = context.form();
   var form = formBuilder
    .setAttribute('client', session.getContext().getClient())
    .createForm('your-custom-forbidden.ftl');  //within this ftl, you can access the client
  context.failure(AuthenticationFlowError.INVALID_USER, form);