Page History

After login at a service the service (SP) may be missing some information or requirements of the login, for example

• To few attributes sent from the IdP
• Required attribute valued is not sent from the IdP
• The service requires REFEDS MFA capability of the IdP but not supported by IdP (according to IdP Metadata)
• The IdP doesn't seem to support the forceAuthn SAML flag (either a SAML error from the errorURL or the AuthenticationInstant is not refreshed

There currently is no best-practice for how a service should inform users of non-technical shortcomings of logins. It would be convenient if IdP:s could supply URL:s to different support pages that services could referer to depending on pre-defined problems with logins. Many login problems are not detected until after login.

ACAMP at TechEx had a session regarding this. Notes and Post-ACAMP work are available at https://bit.ly/2rOYgl1