Versions Compared

Old Version 3

changes.mady.by.user Niels van Dijk

Saved on

compared with

New Version 4

changes.mady.by.user Lukas Hämmerle

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Added comment on attribute names

...


Line / ReferenceProposed Change or QueryProposerAction / Decision (please leave blank)
12.4. returnURLWhat seems to be missing from this specification is a way to let the user continue to do what he/she came to do: use the SP.

If the federate login via the institution did not work, e.g. because of MISSING_ATTRIBUTES, the user may now end up at an Idp error page. Regardless of the root cause of the error, it is unlikely the IdP will be able to mitigate this problem within the time the user wants to get access to the SP. Effectively we have now silo-ed the user into a place where there is no obvious way to continue, and the user is 'lost' to the SP, as the SP is several redirects away. That is a rather poor user experience.
However, the SP might be offering other means of login to the service, e.g. social or guest IdP login, or perhaps access to the SP with less privileges. With this proposal, there is now no easy way for the user to return to the SP and use an alternative.
I would therefor propose to add a capability to let the SP add a 'return URL' to the Optional Placeholders so a user may, after having been informed by the IdP of the issue, may return to the SP and continue to work. In this way the IdP error page could present a link or button to allow the user to "Return to the service'.

===

2.4. returnURL

An optional URL set by the Service that the IdP can present to the end user to allow the user to continue using the Service via some other authentication method. The returnURL MUST appear within the query string of the URL. This requirement allows the URL-encoding rules to be less ambiguous.

===

It is already very inconvenient the user was not able to use federated login. We should not punish the user double by blocking him from continueing to do his work.

Niels
22.3.4

If ERRORURL_CODE is “MISSING_ATTRIBUTES”, this value if present SHOULD be set to a space-delimited list of the names of the missing attributes and, if appropriate, URIs of the applicable entity categories.

The "name of missing attributes" might lead to some SPs mentioning the friendly names or their local human readable attribute names. This might lead to inconsistencies. It would be more consistent if the specification said that this value should present a space-delimited list of attribute names in urn:oid:#LDAP OID# format or as declared by the SP in its RequestedAttribute elements.



Lukas