ErrorPage Class Overview

Active Directory Federation Services 2.0
 

The code-behind class for the error.aspx page derives from the ErrorPage class. You can modify this page to customize the error handling of the Active Directory® Federation Services (AD FS) 2.0 Sign In pages.

The ErrorPage class exposes two properties. The Exception property displays the exception that describes the error for which the user was redirected to this page. The ActivityId property provides an identifier that can help an administrator find additional information about the error.

The default error handling implemented in the error.aspx.cs code-behind file examines the Exception property and displays an error message for authorization and authentication exceptions. It optionally displays the exception message for all other conditions depending whether the displayExceptions key is defined under the <appSettings> section in the web.config file. By default, this key is not defined and the exception message is not displayed. For more information, see Customizing the AD FS 2.0 Sign-In Pages Using Web.config. The default handling also displays the value of the ActivityId property with a message to contact the system administrator for more information.

Partial logout in SAMLP is considered a soft failure. The session participant should continue to log out of other parties. The following example shows how to detect and provide custom handling for a SAMLP partial logout error. With this example, on a partial logout condition, the user is redirected to the PartialLogout.aspx page. At this page, she is presented with a message that explains the condition and a Clean Cookie button. The user may either close the browser or click the Clean cookie button to handle the condition. By clicking the Clean cookie button, the user can continue to work safely without closing the browser.

To install this example copy the following code into the Sign In Pages installation folder (default, c:\inetpub\adfs\ls) using the indicated filenames. You need administrator privileges to copy the files.

error.aspx.cs

The following code contains modifications to handle the partial logout error condition. The code in the terminal else statement checks the exception message for strings that identify a partial logout, and, if they are found, redirects the user to the partial logout page, PartialLogout.aspx.

//-----------------------------------------------------------------------------  
//  
// THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF  
// ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO  
// THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A  
// PARTICULAR PURPOSE.  
//  
// Copyright (c) Microsoft Corporation. All rights reserved.  
//  
//  
//-----------------------------------------------------------------------------  
  
using System;  
  
using Microsoft.IdentityServer.Web;  
using Microsoft.IdentityServer.Web.UI;  
  
/// <summary>  
/// Shows the error page  
/// </summary>  
public partial class Error : ErrorPage  
{  
    protected void Page_Load(object sender, EventArgs e)  
    {  
        AuthorizationFailedException authorizationException = Exception as AuthorizationFailedException;  
        AuthenticationFailedException authenticationException = Exception as AuthenticationFailedException;  
        if (authorizationException != null)  
        {  
            //  
            // To provide customized authorization error messages, inspect the RequestedRelyingParty  
            // property of the authorizationException.  It will contain the identifier of  
            // the Relying Party Trust for whom the user is not authorized.  
            //  
            ExceptionMessageLabel.Visible = true;  
            ExceptionMessageLabel.Text = Resources.CommonResources.UnauthorizedText;  
            Title = Resources.CommonResources.AccessDeniedTitle;  
        }  
        else if (authenticationException != null)  
        {  
            ExceptionMessageLabel.Visible = true;  
            ExceptionMessageLabel.Text = Resources.CommonResources.UnauthenticatedText;  
        }  
        else  
        {  
            // Instead of overwriting error.aspx.cs, you can just add this conditional statment to the file.  
            if (!String.IsNullOrEmpty(Exception.Message) && (Exception.Message.StartsWith("MSIS7054:") || Exception.Message.StartsWith("MSIS7055:")))  
            {  
                // SAMLP partial logout detected, go to partial logout page  
                Server.Transfer("/adfs/ls/PartialLogout.aspx", true);  
            }  
            ExceptionMessageLabel.Visible = System.Web.Configuration.WebConfigurationManager.AppSettings["displayExceptions"] != null;  
            ExceptionMessageLabel.Text = Exception != null ? Exception.Message : String.Empty;  
        }  
    }  
}  
  

PartialLogout.aspx

The following code contains the design elements for the partial logout page. It displays informational messages and the Clean cookie button.

<%@ Page Language="C#" MasterPageFile="~/MasterPages/MasterPage.master" AutoEventWireup="true"  
ValidateRequest="false" CodeFile="PartialLogout.aspx.cs"  
Inherits="PartialLogout" Title="Partial Logout"  
EnableViewState="false" runat="server" %>  
 <%@ OutputCache Location="None" %>  
  
<asp:Content ID="Content1" ContentPlaceHolderID="ContentPlaceHolder1" Runat="Server">  
  
    <div class="GroupLargeMargin"><asp:Label ID="Label1" Text="This is not an error, it is a Partial Logout" runat="server" /></div>  
    <div class="GroupLargeMargin"><asp:Label ID="Label2" Text="Not all SAMLP partners logged out. Close the browser for security or click the Clean cookie button." runat="server" /></div>  
    <asp:Button ID="CleanCookieButton" runat="server" Text="Clean cookie" OnClick="CleanCookieButton_Click" CssClass="Resizable"/>  
</asp:Content>  

PartialLogout.aspx.cs

This code implements the partial logout handling. If the Clean cookie button is clicked, it cleans the relevant cookies and redirects the user back to the Idp initiated sign on page in the response.

//-----------------------------------------------------------------------------  
//  
// THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF  
// ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO  
// THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A  
// PARTICULAR PURPOSE.  
//  
// Copyright (c) Microsoft Corporation. All rights reserved.  
//  
//  
//-----------------------------------------------------------------------------  
using System;  
using System.Web;  
using System.Web.UI;  
  
public partial class PartialLogout : Page  
{  
    protected void CleanCookieButton_Click(object sender, EventArgs e)  
    {  
        string[] cookieNameList = new string[]   
        {   
            "SamlSession", "SamlLogout",   
            "MSISAuth", "MSISAuth1", "MSISAuth2", "MSISAuth3", "MSISAuth4",   
            "MSISAuthenticated", "MSISLoopDetectionCookie",  
            "MSISSignOut", "WSFedLogout", "LogoutReturnUrl"  
        };  
  
        // Clean the cookies for the session  
        foreach (string cookieName in cookieNameList)  
        {  
            HttpCookie cookie = new HttpCookie(cookieName, String.Empty);  
            cookie.Expires = DateTime.UtcNow.AddYears(-1);  
            cookie.Path = "/adfs/ls";  
            Response.Cookies.Add(cookie);  
        }  
  
        Response.Redirect("/adfs/ls/IdpInitiatedSignOn.aspx", true);  
    }  
}  

Community Additions

ADD
Show: