Handling specific error subtypes in SP
guillaume.rousse at renater.fr
Tue Sep 3 04:05:27 EDT 2019
We are trying to present helpful error messages to our users,
intelligible for them, in the line of eduGAIN advices
Which means favoring plaintext explanations over technical details.
The current granularity of error types in SP is well suited for some
categories, such as metadata errors, for instance. In our context (we
produce the metadata, and we control of our discovery services), this
only happens when an admin registers an IdP in a federation, and test it
before metadata update reaches the SP, so we can safely assume a
metadata error means the tester didn't wait enough, and issue an error
page in the line of "Unknown IdP, you probably didn't wait enough after
However, other categories, such as session errors, have broader scope,
and much more potential root cause, which makes difficult to issue a
pertinent message for a non-technical audience. Additionaly, for
non-english audience, as part of the message doesn't come from the
template itself, but from application internals (such as the ones
produced by <shibmlp errorText/> and <shibmlp statusMessage/> element),
and can't get translated AFAIK.
In particular, failure to satisfy an authentication request with a
specific authnContextClassRef will result in an error message easily
identifiable by an administrator, but not by the end user, whereas we'd
like to issue a message in the line of "your authentication services
doesn't satisfy authentication requirement for this application, please
contact your own IT service".
The current langage template does support some conditional, but only for
defined/undefined parameters, not for complete expression such as
if statusCode2 == 'urn:oasis:names:tc:SAML:2.0:status:NoAuthnContext'
Unless I'm missing something, support for this use case requires
additional development. Would PR to the SP code providing either new
more-specific error categories, or support for expression evaluation
inside template receive favorable attention ?
Tel: +33 1 53 94 20 45
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 3637 bytes
Desc: Signature cryptographique S/MIME
More information about the users