...
MISSING_ATTRIBUTES
AUTHORIZATION_FAILURE (e.g., entitlement, assurance)
REQ_AUTHN_CONTEXT (i.e., requested authentication class issue)
AUTHN_TOO_OLD (i.e., time sense authentication is too large)
SCOPE (needs further discussion, detected and filtered by at least Shib SP, not distinguished from MISSING_ATTRIBUTES by the application behind the SP in the proxy case)
Next steps: update Working Document; wrap up possible error states; consider any additional fields that will be required -- focus on what different information pages the IdP:s want to have! the error codes should be mapped one-to-one with that