So because I have a step login process - logon widget to get username and then branch based upon domian name - so SAML or local ldap .
for local ldap another login widget where you enter password.
It was brought to my attention that I have locked the username on the second dialogue box - because I don't want people to put in SAML email addresses here and by pass the saml hand off.
so how do I easily hand back to the first widget in apm - don't think APM allows for that.
My next thought was to add a button - change user name or Back. but what it does is call a url - that logs out the session and restarts - thats the only way I can see how to restart the progress throught APM. But if I do that I lose my landing uri and if I don't some how keep that once the user has logged in they land on / which is of no use !
I wanted to craft a button that had say destination url = /sso/logoff?r=<landing url> that would handle the log off and then redirect based upon r
Ah, that's an interesting scenario! And yes, I quite agree to lock the username on the second screen (or something similar) so that people can't bypass the SAML trick. I may however have an easier solution for you. Are you familiar with the Macro's in the APM policy? Within Macro's, you can create a Loop ending.
If you put the original logon widget, as well as the second LDAP agent into a Macro (perhaps with some other agents too), and at the end the Macro, put an agent that checks if the login name is still the same as on the first page, you should be fine. If the user doesn't change the username, continue. Otherwise, follow the Loop ending which sends it back to the beginning (without loosing the session!)
I use something similar myself for a home-cooked login portal, and on the login page, I have an empty variable which doesn't show anything at first, but if someone gives the wrong credentials, the variable gets filled with the text "Incorrect username/password", which then shows up on the login page. This second trick means that in my case, I can tell the user of the error, without having to create a completely new login page.