The Incommon Federation wiki has moved.

Please visit the new InCommon Federation Library wiki for updated content. Remember to update your bookmarks.

Click in the link above if you are not automatically redirected in 15 seconds.

Error Handling URL in Metadata

Meeting Baseline Expectations

InCommon will phase in the Baseline Expectations program through much of calendar year 2018. Over time, this program will make some metadata elements mandatory and others recommended, including the Error Handling URL. For more information, see the Baseline Expectations wiki page.

While contacts in metadata are principally for communication between participants, the errorURL attribute in identity provider metadata is designed for facilitating feedback to users when problems occur that are explicitly the domain of the identity provider. A common example is a failure to obtain the required user information (attributes) while the user is accessing a service.

All identity providers SHOULD supply a URL to a page hosted by them that explains to users what their course of action should be, particularly in the case where an identity provider fails to supply the user attributes required by a service (this will become mandatory under Baseline Expectations). The actual course of action communicated to the user will depend on policy and practice at the identity provider, and could include email lists, help desk contact information, or explanations as to the limits on intended use of a service. Some possible examples include:

  • Tell the user how to contact the appropriate service point (e.g., help desk, IdM support, etc.) to report the problem. Include suggestions on what information the user should include in their message. Perhaps embed an email tool in the errorURL page to simplify the reporting process.
  • If the IdP is configured to release a default set of personally identifiable attributes to InCommon member SPs, then describe the FERPA process and how it restricts attribute release, and the local process to opt into FERPA.

While error pages may certainly describe general classes of errors and response guidance, it is most important that attribute-related issues be addressed. Most other problems are better handled directly by service providers on behalf of users by leveraging contact information.

Uses of Error Handling URL

The errorURL is an important component of Federated Error Handling, which is a centralized service offered to participating service providers. Failure to supply an errorURL in IdP metadata will limit the service provider's ability to guide users toward an appropriate course of action and may result in email to unprepared help desk staff and other unwanted outcomes.

InCommon offers a centralized Federated Error Handling Service for service providers. This service relies on the error handling URL in IdP metadata.

The errorURL may also be leveraged during discovery. Instead of listing all IdPs in the Federation, a discovery interface may be configured to present only those IdPs with an errorURL in metadata. This increases the chance of a good user experience.

Technical Requirements

  • Each <md:IDPSSODescriptor> element SHOULD contain an errorURL XML attribute pointing to a page hosted by the identity provider organization.

#trackbackRdf ($trackbackUtils.getContentIdentifier($page) $page.title $trackbackUtils.getPingUrl($page))
  • No labels