Hi All,

I've setup a Brokering Group and Brokering Rule and when the user is of certain role, the SP deny is set.

https://www.netiq.com/documentation/.../b1ax7qoc.html says:
If the authorization policy is configured to deny execution, Identity Server sends the following message as part of an assertion response. <samlp:Status> <samlp:StatusCode Value="urnasis:names:tc:SAML:2.0:status:Responder"> <samlp:StatusCodeValue="urnasis:names:tc:SAML:2.0:status:RequestDenied" /> </samlp:StatusCode> <StatusMessage>Authorization is failed</StatusMessage> </samlp:Status>

Which it does so exactly in our case.

<samlp:Status>
<samlp:StatusCode
Value="urnasis:names:tc:SAML:2.0:status:Responder">
<samlp:StatusCode
Value="urnasis:names:tc:SAML:2.0:status:RequestDenied"/>
</samlp:StatusCode>
<StatusMessage>Authorization is failed</StatusMessage>
</samlp:Status>


Problem is the ADFS (the SP in this case), doesn't like the SAML response very much. Shows "An error occured" page to the user and the below exception is in the Event Logs.

Exception details:
System.Xml.XmlException: 'Element' is an invalid XmlNodeType.
at System.Xml.XmlReader.ReadEndElement()
at Microsoft.IdentityServer.Protocols.Saml.SamlProtoc olSerializer.ReadStatus(XmlReader reader)
at Microsoft.IdentityServer.Protocols.Saml.SamlProtoc olSerializer.ReadResponse(XmlReader reader, NamespaceContext context)
at Microsoft.IdentityServer.Protocols.Saml.HttpSamlBi ndingSerializer.ReadProtocolMessage(String encodedSamlMessage)
at Microsoft.IdentityServer.Protocols.Saml.HttpSamlBi ndingSerializer.CreateFromNameValueCollection(Uri baseUrl, NameValueCollection collection)
at Microsoft.IdentityServer.Protocols.Saml.HttpPostSa mlBindingSerializer.ReadMessage(Uri requestUrl, NameValueCollection form)
at Microsoft.IdentityServer.Web.Protocols.Saml.HttpSa mlMessageFactory.CreateMessage(WrappedHttpListener Request httpRequest)
at Microsoft.IdentityServer.Web.Protocols.Saml.SamlCo ntextFactory.CreateProtocolContextFromRequest(Wrap pedHttpListenerRequest request, ProtocolContext& protocolContext)
at Microsoft.IdentityServer.Web.Protocols.Saml.SamlPr otocolHandler.CreateProtocolContext(WrappedHttpLis tenerRequest request)
at Microsoft.IdentityServer.Web.PassiveProtocolListen er.GetProtocolHandler(WrappedHttpListenerRequest request, ProtocolContext& protocolContext, PassiveProtocolHandler& protocolHandler)
at Microsoft.IdentityServer.Web.PassiveProtocolListen er.OnGetContext(WrappedHttpListenerContext context)


It may seem like an ADFS related question at first, but of course there may be some configuration that you are aware of in NAM that can sort this response.

Eventually instead of having the "An error occured" page, we would be happy with an "Access is denied" message.

Thanks for your time reading and your responses in advance.