I am not sure if a redirect behavior on authentication failure is supported per the spec. According to the SAML2 spec, a response need to be returned with statuscode if a responder (AM) is unable to authenticate the presenter. That said, you may be able to achieve this behaviour by employing authentication trees. A ForgeRock verified SAML2 Node is available in the marketplace. You can define an auth tree such that a negative SAML2 Node outcome sets a FailureURL.