The concept you are looking for is called a Context Check Intercept
You should be able to find sufficient info on that on the wiki; just pay close attention to the details.
I’m using this to limit what type of users can go to _some_ SPs. I actually have a number of context-checks (eg. to check if users are permitted to consume library resources, or if users are from a specific
campus). My deployment is entirely scripted and templated, so its easy for me to add more context-checks; otherwise it is best to limit the number you use (for sake of complexity)
Hope that helps,
From: users <[hidden email]>
On Behalf Of Juan Padilla Sent: Thursday, 14 June 2018 7:56 AM To:[hidden email] Subject: force login failure based on attribute value
Is there a way to add logic in attribute-resolver (or other method) to not send the user back to the SP on successful login if an attribute is a certain value?
For example, if user is not part of an ldap group then send to an error page instead of the service provider.