1. Consideration of the proposal from ACAMP -
  2. Working Document
  3. Review of possible error states
  4. Discussion on what other information may be needed


Consideration of the proposal from ACAMP -

Syntax of errorURL

errorURL is added in the IDPSSODescriptor tag:

<md:IDPSSODescriptor errorURL="">

There is only one errorURL per IdP. The ID could be used as a query-string to the errorURL, or more generic, at TAG in the errorURL can be replaced by any of the ID:s in the definitions above. Examples:


I.e. it is up to the IdP to optionally include the TAG in the errorURL. IdP:s are expected to handle unknown (new) TAG values appropriately. TAG includes only [A-Z0-9_].

For example, if a user has logged in to an SP from KAU and the SP is with missing attributes, it should point the user to the url



errorURL [Optional]

Optional URI attribute that specifies a location to direct a user for problem resolution and additional support related to this role.


  • MISSING_ATTRIBUTES (could be a scope issue)

Additional fields that will be required

The most common case might be the missing attributes; we do not want to pass back the list of missing attributes, we want to provide a link to “what to do about missing attributes”. In this case, we could be more specific, but it may be of limited value. If there is some generally useful thing to do, though, it will eventually find its way into code.

Possible error states:

Next steps: update Working Document; wrap up possible error states; consider any additional fields that will be required -- focus on what different information pages the IdP:s want to have! the error codes should be mapped one-to-one with that