Error Handling URL in Metadata
Meeting Baseline Expectations
While contacts in metadata are principally for communication between participants, the
errorURL attribute in identity provider metadata is designed for facilitating feedback to users when problems occur that are explicitly the domain of the identity provider. A common example is a failure to obtain the required user information (attributes) while the user is accessing a service.
All identity providers SHOULD supply a URL to a page hosted by them that explains to users what their course of action should be, particularly in the case where an identity provider fails to supply the user attributes required by a service (this will become mandatory under Baseline Expectations). The actual course of action communicated to the user will depend on policy and practice at the identity provider, and could include email lists, help desk contact information, or explanations as to the limits on intended use of a service. Some possible examples include:
- Tell the user how to contact the appropriate service point (e.g., help desk, IdM support, etc.) to report the problem. Include suggestions on what information the user should include in their message. Perhaps embed an email tool in the
errorURLpage to simplify the reporting process.
- If the IdP is configured to release a default set of personally identifiable attributes to InCommon member SPs, then describe the FERPA process and how it restricts attribute release, and the local process to opt into FERPA.
While error pages may certainly describe general classes of errors and response guidance, it is most important that attribute-related issues be addressed. Most other problems are better handled directly by service providers on behalf of users by leveraging contact information.
Uses of Error Handling URL
errorURL is an important component of Federated Error Handling, which is a centralized service offered to participating service providers. Failure to supply an
errorURL in IdP metadata will limit the service provider's ability to guide users toward an appropriate course of action and may result in email to unprepared help desk staff and other unwanted outcomes.
InCommon offers a centralized Federated Error Handling Service for service providers. This service relies on the error handling URL in IdP metadata.
errorURL may also be leveraged during discovery. Instead of listing all IdPs in the Federation, a discovery interface may be configured to present only those IdPs with an
errorURL in metadata. This increases the chance of a good user experience.
<md:IDPSSODescriptor>element SHOULD contain an
errorURLXML attribute pointing to a page hosted by the identity provider organization.