Authentication and Custom Error pages

Question

I have a site that is using Azure ACS for authentication, backed by ADFS. When things are going well and people do things they are supposed to its great but that doesn't happen always so we have been implementing custom error pages.

The problem is, it doesn't seem to catch authentication errors, such as

ID3206: A SignInResponse message may only redirect within the current web application
Key not valid for use in specified state.

These errors still produce the ugly yellow error screen no matter what I say in my web.config. They are clearly ASP.NET errors and not IIS errors, so my question is how and where can I put custom error pages to display such errors in a 'pretty' way, as setting a page in web.config isn't working?

EDIT: To be clear, we have ACS set up to use an error page, have customErrors on with a different error page, neither or being used.

Answer 1

You have to have an action on a controller in your web app that accepts a POST from ACS and takes a parameter of type string. You must also configure your relying party application in ACS to point to that action for errors. Then in the action code you can do something like this:

namespace ASPNETSimpleMVC.Controllers
{
public class ErrorController : Controller
{
    // Errors can be mapped to custom strings here.
    static Dictionary<string, string> ErrorCodeMapping = new Dictionary<string, string>();

    static ErrorController()
    {
        ErrorCodeMapping["ACS50019"] = "You chose to cancel log-in to the identity provider.";
        ErrorCodeMapping["ACS60001"] = "No output claims were generated. You may be unauthorized to visit this site.";
    }

    //
    // POST: /Error/
    //
    // If an error occurs during sign-in, ACS will post JSON-encoded errors to this endpoint.
    // This function displays the error details, mapping specific error codes to custom strings.
    [AcceptVerbs( HttpVerbs.Post )]
    public ActionResult Index( string ErrorDetails )
    {
        // The error details contain an array of errors with unique error codes to indicate what went wrong.
        // Additionally, the error details contain a suggested HTTP return code, trace ID, and timestamp, which may be useful for logging purposes.

        ErrorDetails parsedErrorDetails = new JavaScriptSerializer().Deserialize<ErrorDetails>( ErrorDetails );

        ViewData["ErrorMessage"] = String.Format( "An error occurred during sign-in to {0}. ", parsedErrorDetails.identityProvider );

        // Loop through all ACS errors, looking for ones that are mapped to custom strings.
        // When a mapped error is found, stop looking and append the custom string to the error message.
        foreach ( ErrorDetails.Error error in parsedErrorDetails.errors )
        {
            if ( ErrorCodeMapping.ContainsKey( error.errorCode ) )
            {
                ViewData["ErrorMessage"] += ErrorCodeMapping[error.errorCode];
                break;
            }
        }

        return View( "Error" );
    }
}
}

You may also find this article helpful.