OpenSAML user discussion

["Scott Cantor" <>]

> [this isn't specifically an opensaml question, but one on the SAML
Profiles
> spec - apologies if there's a better place to ask it]

There's a saml-dev list at OASIS for general SAML questions.

> What happens if the user fails the authentication step (e.g. enter the
wrong
> password)?
> 
> Does that count as failure of the <AuthnRequest>, so that some kind of
> <Response> should be delivered back to the SP?
> 
> Or should the IDP return an error to the SP?
> 
> If the latter, how should the error be delivered to the SP?

If you want to return an error, you return a Response with an error in it
using a supported or SP chosen binding. If not, you stay engaged with the
user.

SPs don't like or want to see IdPs trapping users and refusing to get them
back to the SP at some point, and that business issue is one of the major
drivers against consumer federation. It depends on the SP, the IdP, the
specific error, the business scenario, whether the user can rectify the
problem, etc. IdPs need to be configurable in hundreds of aspects like this
to be robust.

That text has been tweaked in errata as well and there is discussion of it
within the last few months on the official TC list.

-- Scott