Customizing Error Messages in Access Manager Login Pages



When user authentication fails because the credentials are invalid - the password has expired with no grace logins left - the error page returned often gives a brief message indicating what the users must do to avoid the error. In certain cases where it is required to contact the system administrator, there is no option available to expand the message to include the telphone number of the system administrator, or suggestions to avoid the problem.

There are multiple user specific errors that are thrown by the Access Manager Identity Server code - the list below shows the various strings:

100=Unable to complete authentication request.
101=Unable to complete federate request.
102=Unable to complete federation termination request.
103=Unable to complete register name request.
104=Authentication request failed.
105=Federate request failed.
106=Unable to process a federation termination request.
107=Unable to process a register name request.
108=Unable to authenticate.
109=Unable to send authentication to service provider.
110=Unable to complete logout request.
111=Authentication requires the use of the https protocol.
113=Unable to complete unsupported request.
114=Unable to complete request at this time.
115=Resource is not available
116=The requested defederation was successful, and has caused your session to become invalid. Please login again.
117=Username length cannot exceed {0} characters.
118=Passwords must be between {0} and {1} characters in length.
119=Passwords dont match.
120=Username is not available.
121=User login has been disabled due to intruder detection. Please report this error to your system administrator.
122=You are not allowed to login at this time. Please wait for your allowed time to login or contact your system aystem administrator.
123=Your login has been disabled. Please report this error to your system administrator.
124=There are no login connections available. Please try again later or contact your system administrator.
125=Login failed, please try again. If you continue to be unable to login, please contact your system administrator.
126=Your password has expired. Please contact your system administrator.

These errors are either returned via the login.jsp page or the err.jsp page, depending on whether the authentication request is triggered locally at the Identity Server, or via a SAML/Liberty request
from another device. Both these pages can be modified to customize the error returned to the user.

The example below shows an error message returned when the user's password has expired and no grace logins remain. In many cases, users would like to get more details regarding how to contact the administrator (email, phone number), or whether a link exists for users to reset their passwords.


The login page within Access Manager can be customized to modify existing messages returned and add more details during the login stage. This login page (login.jsp) is located in the
/opt/novell/nids/lib/webapp/jsp directory. The section of the page that handles errors is shown below.

1    <%
2 String err = (String) request.getAttribute(NIDPConstants.ATTR_LOGIN_ERROR);
3 if (err != null)
4 {
5 %>

7 <% }

The error returned by the Novell Indentity server during the login stage is stored in the error string in line 2. Assuming that there is an error returned, it is then displayed later in the page in line 6.

In the above case, we want to be able to change the string from this:

"Your password has expired. Please contact your system administrator."

to something more specific, like this:

"Your password has expired. Reset your password at For further issues, please contact your system administrator at x19012."

To accomplish this, the following changes are required on the login.jsp page:

1    <%
2 String err = (String) request.getAttribute(NIDPConstants.ATTR_LOGIN_ERROR);
4 if (err != null && err.startsWith("Your password has expired"))
5 {
6 err = "Your password has expired. Reset your password at Please contact your system administrator at x19012 or email the helpdesk at for further questions";
7 }
9 if (err != null)
10 {
11 %>

13 <% }

We've added a section starting on line 4 that checks to see whether the message returned from the Novell Indentity server starts with the string "Your password has expired". If we do match that string, we rewrite the error string to be our customized error in line 6. Finally, we display our new error in line 12, as before.

Using the same method, it's possible to search for any of the strings in the above list of possible errors and replace them with an error message of your choice.



How To-Best Practice
Comment List