Introduction
This page lists defined error conditions and how these are to be handled
General Error handling requirements
Errors may occur in many places. When an error is triggered:
- A unique code must be generated
- A log entry must be written, containing timestamp, unique code and a description of the error.
- If an error message is presented to the Enduser (when applicable, see below), as part of the error message the unique number and a date or timestamp is shown as part of the message. (So in case someone sends us a screenshot of the error, we have a reference)
- The GUI for presenting an error is defined in GUIs section (ToDo Error conditions)
- If an error message is presented to the RP (when applicable, see below), the unique code must be part of the message, so we can reference it should the RP come back to us with questions about the error. I suggest making this part of the
error_description. FOrmat: timestamp - uniqueid - eror message - If applicable (see below), a notification, by email, should be send to the InAcademia Techs.
Errors in Information flows in InAcademia
Overview of information flows
Source: Error conditions
Error handling table
| Errors | End User Message | RP messege | InAcademia tech? | Comment |
|---|---|---|---|---|
| (1) Users starts validation at RP | ||||
| out of scope | - | - | - | - |
| (2) RP requests claims at OFS | ||||
2.1 RP is not registered at OFS | no | unauthorized_client | no | as described in OIDC spec* |
| 2.2 RP registered, but credentials not valid | no |
| no | as described in OIDC spec* |
2.3 RP registered, but redirect_uri not valid | no |
| no | as described in OIDC spec* |
| 2.4 Invalid request made by RP (or any other party) | no |
| no | as described in OIDC spec* |
| 2.5 Invalid request parameter values incoming | no |
| no | as described in OIDC spec* |
| 2.6 Optional: Rate limit too many requests per min? | no | temporarily_unavailable | yes | as described in OIDC spec* |
| (3) OFS redirects user to Discovery Service | ||||
| out of scope ** | - | - | - | - |
| (4) User selects an IdP | ||||
| out of scope | - | - | - | - |
| (5) Discovery service notifies OFS of user choice | ||||
5.1 Incoming relay state @OFS not correct
| Yes | RP is unknown | yes | enduser messages described in "Enduser Error messages" |
| 5.2 Selected IdP unknown to OFS | Yes |
| yes | enduser messages described in "Enduser Error messages" Can we also inform the RP, as well as the enduser? |
| 5.3 Selected IdP not a member of eduGAIN | Yes | access_denied | no | enduser messages described in "Enduser Error messages"
ToDo: NOT an ERROR, but should be logged as failed transaction |
| 5.4 Unsolicited response at disco endpoint at OFS *** | out of scope | out of scope | no | http 404? |
| 5.5 Unsolicited response at non eduGAIN IdP endpoint at OFS *** | out of scope | out of scope | no | http 404? |
| (6) OFS creates SAML AuthN request for IdP | ||||
| 6.x Software errors and config problems may trigger errors here | Yes | Can we also inform the RP, as well as the enduser? | yes | http 418? |
| (7) User Authenticates at IdP | ||||
| out of scope | - | - | - | - |
| (8) IdP replys with AuthN response to OFS | ||||
| 8.1 User not authenticated | Yes |
| no | enduser messages described in "Enduser Error messages" RP as described in OIDC spec* |
| 8.2 SAML response not correct | Yes | access_denied | no | enduser messages described in "Enduser Error messages" RP as described in OIDC spec* |
| 8.3 IdP did not sent the expected attributes | Yes | access_denied | yes | enduser messages described in "Enduser Error messages" RP as described in OIDC spec* |
| 8.4 IdP did not sent the expected attribute values | Yes | access_denied | yes | enduser messages described in "Enduser Error messages" RP as described in OIDC spec* |
| 8.5 Relaystate modified along the way | Yes | RP is unknown | yes | enduser messages described in "Enduser Error messages"
|
| (10) Other errors | ||||
| 10.1 User does not give consent | no | access_denied | no | technically not an error, but should be logged as a "failed transaction" and the RP must be notified |
* http://openid.net/specs/openid-connect-core-1_0.html#AuthError; http://tools.ietf.org/html/rfc6749#section-4.2.2.1
** Discovery is handled via discojuice.org
*** The spec does not seem to define how to handle incorrect response of the disco service, see: http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-idp-discovery.pdf
Enduser Error messages
| Error | Userfriendly message |
|---|---|
| 5.1 Incoming RelayState @OFS not correct | We could not complete your validation because an error occurred while handling your request. Please return to the service which initiated the validation request and try again.
|
| 5.2 Selected IdP unknown to OFS | We could not complete your validation because your institution is not connected. We have recorded this issue and will contact your institution to try and fix this problem. |
| 5.3 Selected IdP is not a member of eduGAIN | We could not complete your validation because your institution is not connected to this service using eduGAIN. To contact your institution with this information please fill in your name and email address below and select "Send" <Form field to enter name> <Form field to enter email> <capcha?> <Send button> |
| 6.x Various application errors | We could not complete your validation because an error occurred while handling your request. Please return to the service which initiated the validation request and try again.
|
| 8.1 User not authenticated | We could not complete your validation because you were not able to authenticate at your institution. If you think this is an error, please contact <Name of the institution>. To contact your institution with this information please fill in your name and email address below and select "Send" <Form field to enter name> <Form field to enter email> <capcha?> <Send button> |
| 8.2 SAML response not correct | We cannot complete your validation because the response from your institution was incorrect. We have recorded this issue and will contact your institution to try and fix this problem. |
| 8.3 IdP did not send expected attributes | We cannot complete your validation because your institution is not providing the required information. The following information was missing:
To contact your institution with this information please fill in your name and email address below and select "Send" <Form field to enter name> <Form field to enter email> <capcha?> <Send button>
|
| 8.4 IdP did not send expected attribute values | We cannot complete your validation because your institution is not providing the required information. The following information was missing:
To contact your institution with this information please fill in your name and email address below and select "Send" <Form field to enter name> <Form field to enter email> <capcha?> <Send button> |
| 8.5 Relaystate modified | We could not complete your validation because an error occurred while handling your request. Please return to the service which initiated the validation request and try again.  Can we insert the URL of the service here based on MDX?? |
We should only suggest retrying to the enduser if there is a chance that will actually work, e.g. because it will be handled by another node. If not, because of catastrophic failing, do not redirect the user back to the RPExample error screen
