OpenSAML user discussion

[Chris Card <>]

Hi,

[this isn't specifically an opensaml question, but one on the SAML Profiles spec - apologies if there's a better place to ask it]

I'm looking at sections 4.1.3.4 Identity Provider Identifies Principal and 4.1.3.5 Identify Provider Issues <Response> to Service Provider, of the SAML Profiles 2.0 spec.

In 4.1.3.4 it says:

At any time during the previous step or subsequent to it, the identity provider MUST establish the identity
of the principal (unless it returns an error to the service provider).

In 4.1.3.5 it says:

Regardless of the success or failure of the <AuthnRequest>, the identity provider SHOULD produce an
HTTP response to the user agent containing a <Response> message or an artifact, depending on the
SAML binding used, to be delivered to the service provider's assertion consumer service.

What happens if the user fails the authentication step (e.g. enter the wrong password)?

Does that count as failure of the <AuthnRequest>, so that some kind of <Response> should be delivered back to the SP?

Or should the IDP return an error to the SP?

If the latter, how should the error be delivered to the SP?

Chris