Web SSO Error Handling
When Web SSO is enabled for a Site, and if the Persist username and password credentials for use in Event Rule context variables check box is selected, EFT displays a WARNING prompt. The "persist credentials" feature will not work for accounts that login via Web Single Sign-on (SSO), because there will be no credentials to persist. Instead, you would have to manually specify those credentials for each rule. If you leave the persist credentials feature enabled (or if was already enabled), then EFT will use an empty (NULL) password. (Some users will be able to login normally (if desired), thus the "persist credentials" feature *could* work in those cases, which is why it isn't automatically disabled when SSO is enabled.)
If an error occurs during SSO authentication, EFT will do one of the following:
-
If the SSO reserved path was set to anything other than root "/, EFT shall display an error prompt (see error text below) and redirect the user to the root, displaying the standard login page. This would implicitly allow the user to either a) attempt SSO again (but clicking the SSO button), or b) enter their normal login credentials or as an alternative login method.
-
If the SSO reserved path was set to root "/", EFT will display the appropriate HTTP error, such as 403 for authentication failure. In this use case there is no fallback method since the SSO path and root path are the same, thus refreshing the path (or navigating to root) would simply retry the SSO process. This "forces" SSO as the only authentication mechanism. Failure reasons may include (but are not limited to):
-
-
AuthzDecisionStatement returned Deny or Indeterminate as Decision Type
-
StatusCode element returned anything other than status:Success
-
One or more Condition elements weren't met (e.g. NotOnOrAfter)
-
A timeout occurred when attempting to POST to the Identity Provider or when waiting for a reply
-
Failed message or attribute signature validation or assertion decryption
-
Failed to find, unambiguously match assertion subject to existing and enabled account
-