Trying to setup an IdP with AM5 for SAML federation to a SaaS provider. One of the use case is when a user is not in the IdP, IdP will notify SP in some form that SP can show alternative login page.
I’m thinking two options:
1. IdP send SAML Authorization Assertion in SAML response to SP’s ACS with authorization denied, so SP can respond with a redirect to the alternative login page.
2. During AM authentication, if user is not in IdP, redirect to SP’s alternative login page during authn process.
Can AM support either of the above options? Are there any other approaches that worth a try?