I have set up some custom sign-in pages based on the sample.zip pages. We are using primary and secondary authentication (on one page) and with the custom sign in pages if the users enters the wrong credentials the error message is the same regardless of whether it is the primary or secondary authentication that fails. With the standard login pages the error messages indicates which authentication failed.
Is there a parameter I can check on the custom page to see which is failing (I've tried the LoginPageErrorCode but this is always 1002)?
Can you change SecondaryLoginPage.thtml and implement a custom error code for 1002? Since it is in the SecondaryLoginPage.thtml then you know it came from the secondary authentication server.
<% IF LoginPageErrorMessage %> <% IF LoginPageErrorCode == 1002 %> ERROR MESSAGE GOES HERE <% END %> <% END %>
Did you find any solution to this?
I have the same problem and we also use a single login page with both primary and secondary login.
The IVE certainly knows the difference. If you leave it on the default message and make it show the error code, the messages are different but the error code is the same...
Maybe the following would work -
On the secondary authentication server definition in the realm, uncheck the "End session if authentication against this server fails" option so that it doesn't kick you out for failing the 2nd authentication. Then, if you receive an authentication failure, it is because the 1st authentication failed.
Run a policy trace to see what variables are set for the second authentication when it succeeds and when it fails. I'm guessing you'll find some variable which is populated if the authentication succeeds, and not if it fails. You can use this difference in role mapping, and map the failing case to no roles. Then you can modify the "No roles" message to be that the user failed the 2nd authentication.