Setup:
My web application has OpenAM + OpenDJ interacting with a federation server in order provide SSO service through SAML2. The list of users who are authorised to access my application are part of the OpenDJ.
How it works-
When the user launches the link for the first time and the application determines that he has not logged in, the user is redirected to the IDP URL to authenticate. The IDP provides the SAML2 response through the Consumer URL exposed. On receiving the SAML2 response my application determines if the user is part of my LDAP and thereby allowed to access and shows up a home page if he has access.
Problem
When the user is not part of my LDAP, I would like to throw up an Access Denied Page, however, I find that OpenAM throws the default IDP initiated login page with a goto parameter to my URL.
I've tried to have success and failure URL configured but it result in the application not being completely accessible. The users are not shown even the IDO login screen.
Is there a property or configuration I need to set to enable OpenAM to show the Access Denied page instead of IDP Login?
I was able to get this working through changes/redirection on the web server. Though I am not sure if there is a place within OpenAM config to solve this.