Single sign on - custom error page for log in errors

Question

We have successfully set up a Windows Azure AD Tenant and implemented web single sign-on in our ASP.NET application n accordance with this tutorial http://msdn.microsoft.com/en-us/library/windowsazure/dn151790.aspx

We are using Organizational Identities for authentication, but if a user is already logged in to another website using a different Microsoft Account (Windows Live ID) we get a very user-unfriendly error message. - "ACS20016: The domain of the logged in user does not match any allowed domain of this STS."

Is there any way we can provide a more user friendly error message? Is there anything like the Error URL in ACS to redirect users to a custom error page if an error occurs during the log in process?

Answer 1

I have the same issue and would welcome an eloquent way of dealing with it (like Microsoft do on their own sites).

Steve.

Answer 2

This is supported in essentially the same way as ACS 2.0. Simply add an Error URL to the ServicePrincipal using the Azure AD PowerShell cmdlets. This will essentially follow Example 2 on the following MSDN page, except the address that you create will be:

$addresses = (Get-MsolServicePrincipal -ServicePrincipalName "MyApp").Addresses
$addresses = $addresses + (New-MsolServicePrincipalAddresses -Address "https://contoso.com/error.aspx" -AddressType Error)
Set-MsolServicePrincipal -AppPrincipalId $AppId -Addresses $addresses

Once you've done this, the above error case will redirect to this URL with exactly the same form parameters that ACS 2.0 would give, and you can handle the error accordingly.

Answer 3

That's great- thank you. I'll give that a try.