The Incommon Federation wiki has moved.

Please visit the new InCommon Federation Library wiki for updated content. Remember to update your bookmarks.

Click in the link above if you are not automatically redirected in 15 seconds.



You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 13 Next »

This document contains DRAFT material intended for discussion and comment by the InCommon participant community.  Comments and questions should be sent to the InCommon participants mailing list.

Error Handling URL in Metadata

While contacts in metadata are principally for communication between participants, the errorURL attribute in identity provider metadata is designed for facilitating feedback to users when problems occur that are explicitly the domain of the identity provider. A common example is a failure to obtain the required user information (attributes) while the user is accessing a service.

All identity providers SHOULD supply a URL to a page hosted by them that explains to users what their course of action should be, particularly in the case where an identity provider fails to supply the user attributes required by a service. The actual course of action communicated to the user will depend on policy and practice at the identity provider, and could include email lists, help desk contact information, or explanations as to the limits on intended use of a service. Some possible examples include:

  • Tell the user how to contact the appropriate service point (e.g., help desk, IdM support, etc.) to report the problem. Include suggestions on what information the user should include in their message. Perhaps embed an email tool in the errorURL page to simplify the reporting process.
  • If the IdP is configured to release a default set of personally identifiable attributes to InCommon member SPs, then describe the FERPA process and how it restricts attribute release, and the local process to opt into FERPA.

While error pages may certainly describe general classes of errors and response guidance, it is most important that attribute-related issues be addressed. Most other problems are better handled directly by service providers on behalf of users by leveraging contact information.

Uses of Error Handling URL

The errorURL is an important component of Federated Error Handling, which is a centralized service offered to participating service providers. Failure to supply an errorURL in IdP metadata will limit the service provider's ability to guide users toward an appropriate course of action and may result in email to unprepared help desk staff and other unwanted outcomes.

InCommon offers a centralized Federated Error Handling Service for service providers. This service relies on the error handling URL in IdP metadata.

The errorURL may also be leveraged during discovery. Instead of listing all IdPs in the Federation, a discovery interface may be configured to present only those IdPs with an errorURL in metadata. This increases the chance of a good user experience.

Technical Requirements

  • Each <md:IDPSSODescriptor> element SHOULD contain an errorURL XML attribute pointing to a page hosted by the identity provider organization.

 

#trackbackRdf ($trackbackUtils.getContentIdentifier($page) $page.title $trackbackUtils.getPingUrl($page))
  • No labels