keycloak-scim/docs/documentation/securing_apps/topics/saml/saml-errors.adoc

21 lines
1.1 KiB
Text
Raw Normal View History

[[_saml-errors]]
=== {project_name} specific errors
{project_name} server can send an error to the client application in the SAML response, which may contain a SAML status such as:
[source,xml]
----
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder">
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:AuthnFailed"/>
</samlp:StatusCode>
<samlp:StatusMessage>authentication_expired</samlp:StatusMessage>
</samlp:Status>
----
{project_name} sends this error when a user is authenticated and has an SSO session, but the authentication session expired in the current browser tab and hence {project_name} server cannot automatically do SSO
re-authentication of the user and redirect back to client with successful response. When a client application receives this type of error, it is ideal to retry authentication immediately and send a new
SAML request to the {project_name} server, which should typically always authenticate the user due to the SSO session and redirect back. More details in
the link:{adminguide_link}#_authentication-sessions[{adminguide_name}].