Handling idP AuthnFailed responses

We have created a SP using the Middleware approach with the licensed SAML component in asp.net core 2.1.

The idP on our partner’s side is PingFederate. Everything works like a charm when people use valid credentials.

However, under certain circumstances the idP server will return the following response:

…<samlp:StatusCode Value=“urn:oasis:names:tc:SAML:2.0:status:Responder”><samlp:StatusCode Value=“urn:oasis:names:tc:SAML:2.0:status:AuthnFailed” /></samlp:StatusCode>…

Currently a SamlErrorStatusException is thrown, finally resulting in a 500 Internal Error response. Since a failed authentication is not an exceptional condition we would like to return a 401 UnAuthorized instead. This reflects what actually happened.

Using the existing documentation we could not discover how to implement this. Any help or example is appreciated.

Kind regards,

Hi Fred
At the moment that’s not supported.
It’s something we will look at adding. Please email support@componentspace.com to discuss early access to a beta.
It’s worth noting that not all identity providers will send an AuthnFailed if login fails. Some will keep control until login is successful. Others may return a different error status.

Is there any update on this issue?

Support was added in v2.2.0.
The SamlAUthenticationOptions now include an ErrorUrl which defaults to “/Error”.
If an error occurs during SSO, including receiving an error status, control is redirected to the ErrorUrl.
The application can then decide whether to display an error page or perform whatever functionality is required.