Concur Application: adding custom elements to shib IdP SAML response

Peter Schober peter.schober at
Thu May 4 15:51:15 EDT 2017

* Reid Watson <reid.watson at> [2017-05-04 21:10]:
> In 2014 a post was created stating “ adding custom elements to shib IdP SAML response"  
> Basic Overview "Adding an URL to the SAML response so the vendor can
> redirect to an error page for unauthorised users”

The SAML 2.0 Metadata spec allows populating a "errorURL" XML
attribute in role descriptors. So you could add that to your IDP's
Metadata and have the SP read it from there (assuming the SP can
consume SAML Metadata; otherwise just give them the URL to use out of

Other than that: If you want to send a URL to the SP, why not send it
in an attribute statement and have the SP grab it from there?
The SP will need to dig through the SAML anyway to grab it from
/somewhere/ so it might as well be an attribute, no?


More information about the users mailing list