no metadata for the SP
Cantor, Scott
cantor.2 at osu.edu
Fri Nov 21 15:15:57 EST 2014
On 11/21/14, 7:37 PM, "Tom Scavo" <trscavo at gmail.com> wrote:
>When the IdP receives an AuthnRequest at a SingleSignOnService
>endpoint, the IdP consults metadata before interacting with the user.
>AFAIK, if the IdP lacks metadata for the SP, the transaction fails
>outright, without even presenting the login interface to the user. In
>this case, the user is stranded at the IdP, with no chance for either
>party to recover.
Sending them back to the SP presumes the much less common scenario that
the SP is willing to handle errors. I realize that some do, but there are
far more that never would, so I could never allow that happen as an IdP
operator. I can't know which ones will. So it's not really a solvable
problem.
>My question is: Can the IdP be configured to respond with a SAML error
>if there is no metadata for the SP? If so, how?
Not in V2, and not in V3 I don't think. The code that prepares the
information needed to issue a response mostly doesn't run when that
happens, so it leaves the request in a state where locally handling it is
the only option.
As far as what that error looks like, it's just a template now, I can
change the defaults. Right now the message is just "The application you
have accessed is not registered for use with this service."
-- Scott
More information about the users
mailing list