Deny access to application and redirect to customized error page

This document describes how to deny access to a resource, and redirect the user to a customized error page.

Background

The authenticator AuthController is used to deny access to a resource.

The authenticator typically uses the FlowFail valve to deny access. The valve uses conditions to calculate if the flow should be failed or not.

Pre reqs

The configurator is expected to have good knowledge in the way Fortified ID configuration works

Configure AuthController to deny access

Add the AuthController authenticator to you configuration.
Configure the failed_redirect array to match you fail-message and where to redirect.
Set the use_generic_error_page to true.
Go to the pipe and configure the FlowFail valve which should appear by default.
The message will be displayed in the log-file and also used for triggering the specific redirect. Adjust the value to suite your use case.
Adjust the exec_if_expr parameter to suite YOUR use case.

Examples AuthController

{
  "id": "authcontroller_1",
  "type": "AuthController",
  "description": "The AuthController authenticator is responsible for various levels of controls.",
  "config": {
    "base_path": "${globals.default_login_suffix}",
    "pipe_id": "authcontroller_1_pipe",
    "use_generic_error_page": true,
    "_fail_location": "https://fortifiedid.se",
    "failed_redirect": [
      {
        "pattern": ".*Step-up was performed by other person.*",
        "target": "${globals.default_login_suffix}/access/noaccess"
      },
      {
        "pattern": ".*Access denied to Application.*",
        "target": "${globals.default_login_location}/access/noaccess"
      }
    ]
  },
  "display_name": "Check access denied"
}

Examples Flow fail

If the SP has a specific entityID and the user NOT is member of a certain group

{
      "name" : "FlowFail",
      "exec_if_expr" : "str.isEqual(exports.spEntityID, 'https://app.company.org/samlsp') && !mv.matchAny(exports.memberOf, 'group-Access')",
      "config" : {
        "message" : "Access denied to Application"
      }      
}

If the value of two properties are not equal

{
    "name": "FlowFail",
    "exec_if_expr": "exports.mfa_identifier[0] != exports.personalNumber",
  "config": {
    "message": "Step-up was performed by other person."
  }
}

Configure the redirect endpoint

An information endpoint is used to for this.

Add an information endpoint according to the example below OR extend your current information endpoint with the endpoint from the example

{
  "name": "InformationEndpoint",
  "display_name": "Information Endpoint",
  "description": "Information Endpoint",
  "config": {
    "http_listener": "default",
    "http_context": "/access",
    "webroot_dir": "web/infoendpoint",
    "endpoint": [
      {
        "context_path": "/noaccess",
        "overlay_dir": "${globals.default_overlay_dir}",
        "template": "generic.template"
      }
    ]
  }
}

Configure translation

The information endpoint configuration is using translations for what message to show to the end user. This is done by using the key value from the context_path.header and context_path.paragraph.

An example of translations matching the configuration above would be

{
  "noaccess.header": "Access denied",
  "noaccess.paragraph": "The access is denied to this application. Please contaxt helpdesk for further information."
}

Customizing UI

To make the page look more pretty the header logo might need to be disabled. Please update the ui_config_overrides.json with the following configuration in order to do so.

"noaccess": {
        "logos": {
            "access_header": false
        }
    }

PreviousWiki.js - OpenID Connect (OIDC)

Last updated 3 days ago