Handling specific error subtypes in SP

Guillaume Rousse guillaume.rousse at renater.fr
Tue Sep 3 04:05:27 EDT 2019 

Hello list.

We are trying to present helpful error messages to our users, 
intelligible for them, in the line of eduGAIN advices 
(https://wiki.geant.org/display/eduGAIN/How+to+configure+login+error+messages+for+your+SP). 
Which means favoring plaintext explanations over technical details.

The current granularity of error types in SP is well suited for some 
categories, such as metadata errors, for instance. In our context (we 
produce the metadata, and we control of our discovery services), this 
only happens when an admin registers an IdP in a federation, and test it 
before metadata update reaches the SP, so we can safely assume a 
metadata error means the tester didn't wait enough, and issue an error 
page in the line of "Unknown IdP, you probably didn't wait enough after 
registration".

However, other categories, such as session errors, have broader scope, 
and much more potential root cause, which makes difficult to issue a 
pertinent message for a non-technical audience. Additionaly, for 
non-english audience, as part of the message doesn't come from the 
template itself, but from application internals (such as the ones 
produced by <shibmlp errorText/> and <shibmlp statusMessage/> element), 
and can't get translated AFAIK.

In particular, failure to satisfy an authentication request with a 
specific authnContextClassRef will result in an error message easily 
identifiable by an administrator, but not by the end user, whereas we'd 
like to issue a message in the line of "your authentication services 
doesn't satisfy authentication requirement for this application, please 
contact your own IT service".

The current langage template does support some conditional, but only for 
defined/undefined parameters, not for complete expression such as
if statusCode2 == 'urn:oasis:names:tc:SAML:2.0:status:NoAuthnContext'

Unless I'm missing something, support for this use case requires 
additional development. Would PR to the SP code providing either new 
more-specific error categories, or support for expression evaluation 
inside template receive favorable attention ?

Regards
-- 
Guillaume Rousse
Pôle SSI

Tel: +33 1 53 94 20 45
www.renater.fr

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3637 bytes
Desc: Signature cryptographique S/MIME
URL: <http://shibboleth.net/pipermail/users/attachments/20190903/a8227359/attachment.p7s>

More information about the users mailing list