no metadata for the SP

Cantor, Scott cantor.2 at
Fri Nov 21 15:15:57 EST 2014

On 11/21/14, 7:37 PM, "Tom Scavo" <trscavo at> wrote:

>When the IdP receives an AuthnRequest at a SingleSignOnService
>endpoint, the IdP consults metadata before interacting with the user.
>AFAIK, if the IdP lacks metadata for the SP, the transaction fails
>outright, without even presenting the login interface to the user. In
>this case, the user is stranded at the IdP, with no chance for either
>party to recover.

Sending them back to the SP presumes the much less common scenario that 
the SP is willing to handle errors. I realize that some do, but there are 
far more that never would, so I could never allow that happen as an IdP 
operator. I can't know which ones will. So it's not really a solvable 

>My question is: Can the IdP be configured to respond with a SAML error
>if there is no metadata for the SP? If so, how?

Not in V2, and not in V3 I don't think. The code that prepares the 
information needed to issue a response mostly doesn't run when that 
happens, so it leaves the request in a state where locally handling it is 
the only option.

As far as what that error looks like, it's just a template now, I can 
change the defaults. Right now the message is just "The application you 
have accessed is not registered for use with this service."

-- Scott

More information about the users mailing list