Page tree
Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 42 Current »

Jump to: 

Updating Error URL in Federation Manager

Log into the Federation Manager as a Site Administrator(SA).

Click on the entity you wish to update to bring up the View/Edit page.

On the left navigation, click "Error URL" to bring up the Error URL section. Click the edit button to edit the Error URL.

Remember: your IdP metadata is not published to the InCommon metadata until you submit it for publishing using the "Submit This Entity for Publishing" button in the Review and Submit section. When you are ready to publish your metadata, don't forget to press that button.

About the Error URL

errorURL  is an attribute present in an Identity Provider's (IdP) metadata. It provides a way for the Service Provider (SP) to direct the user  back to an IdP for additional help when the SP is unable to grant user access into the service because of (most commonly) missing required information from the IdP.

All identity providers SHOULD supply a URL to a page hosted at the IdP's organization. The page should clearly explain to the end user how to seek help to resolve access issues due to missing user attributes required by a service. Example of information may include:

  • Tell the user how to contact the appropriate service point (e.g., help desk, IdM support, etc.) to report the problem. Include suggestions on what information the user should include in their message. Perhaps embed an email tool in the errorURL page to simplify the reporting process.

  • If the IdP is configured to release a default set of personally identifiable attributes to InCommon member SPs, describe how FERPA or other privacy legislations limits attribute release, and the local process to opt in to release user attributes.

Using the Error URL (from a SP perspective)

When processing a federated sign-in, a SP may find that the authentication assertion from the IdP may be missing needed information or technical requirements to grant access where the issue needs to be addressed at the IdP side. Examples may include:

  • Too few attributes are sent from the IdP
  • Required attribute value is not sent from the IdP
  • The service requires REFEDS MFA capability of the IdP but not supported by IdP (according to IdP Metadata)
  • The IdP doesn't seem to support the forceAuthn SAML flag (either a SAML error from the errorURL or the AuthenticationInstant is not refreshed

Where appropriate, an SP may direct the user to the web page at the IdP's errorURL for additional help. It is a good user experience practice to display a page explaining to the user why they are being redirected to the IdP's errorURL before doing so. 

IMPORTANT! DO NOT direct the user back to the IdP if the error an SP error unrelated to the IdP (for example, an application error). 

Error URL in SAML

errorURL is an XML attribute defined in the <md:IDPSSODescriptor> element.  

  • No labels