Displaying a simple error page from a flow

Cantor, Scott cantor.2 at osu.edu
Wed Dec 7 16:49:17 EST 2016


On 12/7/16, 4:25 PM, "users on behalf of Wessel, Keith" <users-bounces at shibboleth.net on behalf of kwessel at illinois.edu> wrote:
>
> It's a terminating flow: this SP requires 2FA, and you haven't signed up. Go sign up from an on-campus IP then sign into
> the SP again.

It sort of matters less than I was thinking it did, because if you're doing this in a script, you can't really just signal an error event there, you have to pass control from that to a flow (or do some weird manipulating you don't really need to mess with). I think this could be made much simpler, I'd have to look into what I can do to signal events directly out of transition rules inside the MFA logic, if you file something on that I can poke at it later. I was thinking you could do it, but I can't see a way to do it offhand right now.

So right now it's a flow you have to build, but to get things to terminate cleanly, you'd want the flow to just immediately terminate itself with an end-state containing your custom event ID, and then you map that custom event ID to the error view you want to display (in error.xml). Or you could do it all with conditional logic in error.vm as a global template, up to you.

You don't want to do a view-state yourself because that still has to signal something back to clean up and that would end up leading to an error view in the end anyway, you'd have to do a hidden iframe or some weird thing like that, and it's not necessary.

>    So, if you were going to do a terminal display screen with static text, would you just throw an exception that I could trap
> and map to a message in error.vm? If so, what exception would I throw?

I suppose an exception might work, but it's best to just build a simple flow to raise a custom event.

<action-state id="SignalEvent">
	<evaluate expression="'proceed'" />
	<transition to="MyEvent" />
</action-state>

<end-state id="MyEvent" />

It's possible it might work with just the end-state, but I don't know for certain.

You need to follow the conventions for establishing custom flows automatically through the filename and location, and you need to make sure it's not sitting anywhere in flows/authn/ because that would make it a login flow by convention. Maybe "flows/error/unregistered/unregistered-flow.xml" (making the flow ID to signal in the script "error/unregistered").

Since this is still happening as part of authentication overall, you also need to add MyEvent as an end-state to the overall set of events authentication is allowed to signal back (that's in authn/authn-events-flow.xml).

That's all a lot more than it would take if I had just allowed for event signaling. The challenge is that the script rules are supposed to just return a String, and so there was no way to say "this is a flow" or "this is an event". I think I can fix that by making sure there's a standard way to save off the event to signal, and then returning null from the script should take care of it.
 
-- Scott




More information about the users mailing list