I'm trying to figure out a way to get ADFS to return more detailed info in theAuthorizationFailedException. There are a many reasons a user might not be authorized based on how I have rules set up for each relying party. I'd like to take a specific action based on why they aren't authorized. The only property
available is the relying party identifier.
I have an ADFS authorization rule that calls a stored procedure to figure out if a given user is authorized to access the relying party and returns some additional data about why a user isn't authorized. It's in the format of [authorized(true|false)|reason].
So the authorized claim might look like false|NeedApproval. In this case, I'd want to kick off some workflow to request access for the user...but that's outside of the scope of ADFS.
I created a custom attribute store that takes the authorization claim as a parameter and parses it. I was hoping if I threw a custom exception with the appropriate data it would bubble up to error.aspx and I could handle it appropriately. However, any exception that occurs in an attribute store gets thrown away by ADFS and ultimately an AuthorizationFailedException is returned.
I'm trying to avoid making an additional call in error.aspx to determine why a user isn't authorized since I've already made the call...but it's not looking feasible. Any suggestions are appreciated.