The LDAP error code for failed login is 49. If you use Microsoft Active Directory for your authentication source you have the ability to parse additional information out of the error 49 code that is returned to the JAAS layer.

"Sub" Error Codes

Here are some of the more useful "sub" error codes that are returned by Active Directory. (someday I'll find the technet article again and link it)

code	explanation
525	user not found
52e	invalid credentials
530	not permitted to logon at this time
531	not permitted to logon at this workstation
532	password expired
533	account disabled
701	account expired
773	user must reset password
775	user account locked

Make it useful

To begin, the jsp layer of the IdP is an easy place to trap different errors so you can display different text.

First field the error condition (much like the previous example). Next look for the codes you want to relay back to the UX environment.

<%@ page import="edu.internet2.middleware.shibboleth.idp.authn.LoginHandler" %>
 
<% if (request.getAttribute(LoginHandler.AUTHENTICATION_EXCEPTION_KEY) != null) { 
 
       Throwable myEx = (Throwable)request.getAttribute(LoginHandler.AUTHENTICATION_EXCEPTION_KEY);
 
       String myErrorString = "";
 
       if(myEx.getMessage().contains("error code 49") && myEx.getMessage().contains("data 775")){
             log.info("LoginExceptionParser (775) ACCOUNT_LOCKED");
             myErrorString = "Account Locked";
       } else if(myEx.getMessage().contains("error code 49") && myEx.getMessage().contains("data 773")) {
             log.info("LoginExceptionParser (773) PASSWORD_EXPIRED");
             myErrorString = "Password Expired";
       } else if(myEx.getMessage().contains("error code 49") && myEx.getMessage().contains("data 532")) {
             log.info("LoginExceptionParser (532) PASSWORD_EXPIRED");
             myErrorString = "Password Expired";
       } else if(myEx.getMessage().contains("error code 49") && myEx.getMessage().contains("data 533")) {
             log.info("LoginExceptionParser (533) DISABLED");
             myErrorString = "Account Disabled";
       } else {
             log.info("LoginExceptionParser (???) INVALID_CREDENTIALS / OTHER");
             myErrorString = "Invalid Username Or Password";
       }
%>

Browser not supported