Shibboleth Developers

["Scott Cantor" <>]

> Out of interest, if the IDP (or the authentication provider) receives a
> request with ispassive=true and there is no existing local security
context
> at the IDP (or authentication provider), should the IDP be sending back a
> formal SAML error?

Yes.

> Is this what Shib IDP does?

Far as I know it sends back the error the SAML specification requires it to
send back.

> Is this common practice in the websso profile community?

I know of no such community.
 
> Is there any writeup anywhere on what motivates Shib SP to handle inbound
> errors the way it does?

Displaying them or redirecting to an application to handle them? No, since
offhand I can't think of any other options. Please suggest another.

-- Scott