Next step would be to lay out what the tags/errors need to be, and what the other fields would need to be. This should be done at the level of interfederation; local federations may require something more based on their own requirements. There are also privacy issues to consider (i.e., people want to see important captured and sent, but do not want it in URLs).

From the SAML2-INT Spec:

[SDP-MD12] An IdP’s metadata MUST include the errorURL attribute on its <md:IDPSSODescriptor> element. The content of the errorURL attribute MUST be an https URL resolving to an HTML page.

The errorURL HTML page should be suitable for referral by SPs if they receive insufficient attributes from the IdP to successfully authenticate or authorize the user’s access. The page should provide information targeted at the end user explaining how to contact the operator of the IdP to request addition of the necessary attributes to the assertions.

Errors in the OAuth 2 world


Do we think that (most) IdP's are willing to write a support page for users for this error?

Is the underlying problem something related to the user that he or she can do anything about by using generic information provided by the IdP?

Errors not directly related to the user should not be included in the errorUrl use case, they should be logged by the SP and handled by the SP in direct contact with the IdP.

Possible Error States

Replace all (och only first?) occurrences of ERRORURL-tags


error stateTypically catched byNotes


ApplicationIn scope
AUTHENTICATION_FAILUREService ProviderIn scope (e.g. requested authentication class issue)
AUTHORIZATION_FAILUREApplicationIn scope (e.g., entitlement, assurance)
OTHER_ERRORApplicationLast resort error, should probable include contact information to the IdP's "user support"
Out of scope for the WG
Out of scope for the WG

Optional Additional Fields

additional fieldSyntaxNotes
ERRORURL_TSNumbersSeconds since 1970 (Unix epoch seconds since 1970 UTC)
ERRORURL_TIDURL encodedWhatever the SP needs to understand what the IdP is talking about (e.g. some transaction id) – IF_THE_IDP_IS_TO_CONTACT_THE_SP_PLEASE_PROVIDE_THIS
ERRORURL_CTXURL encodedUseful context information for the IdP (e.g. Please support R&S) – POSSIBLE_SOME_INFORMATION_USEFUL_FOR_THE_IDP not be meant to be presented to the user

  • No labels