Introduction

This page lists defined error conditions and how these are to be handled

 

General Error handling requirements

Errors may occur in many places. When an error is triggered:

  • A unique code must be generated
  • A log entry must be written, containing timestamp, unique code and a description of the error.
  • If an error message is presented to the Enduser (when applicable, see below), as part of the error message the unique number and a date or timestamp is shown as part of the message. (So in case someone sends us a screenshot of the error, we have a reference)
  • The GUI for presenting an error is defined in GUIs section (ToDo Error conditions)
  • If an error message is presented to the RP (when applicable, see below),  the unique code must be part of the message, so we can reference it should the RP come back to us with questions about the error. I suggest making this part of the error_description. FOrmat: timestamp - uniqueid - eror message
  • If applicable (see below), a notification, by email, should be send to the InAcademia Techs.

Errors in Information flows in InAcademia

Overview of information flows

Source: Error conditions

 

Error handling table

ErrorsEnd User MessageRP messege

Email

InAcademia tech?

Comment
(1) Users starts validation at RP    
out of scope----
     
(2) RP requests claims at OFS    

2.1 RP is not registered at OFS

nounauthorized_clientnoas described in OIDC spec*
2.2 RP registered, but credentials not validno

unauthorized_client

noas described in OIDC spec*

2.3 RP registered, but redirect_uri not valid

no

invalid_request

noas described in OIDC spec*
2.4 Invalid request made by RP (or any other party)no

invalid_scope, unsupported_response_type

noas described in OIDC spec*
2.5 Invalid request parameter values incomingno

invalid_request

noas described in OIDC spec*
2.6 Optional: Rate limit too many requests per min?notemporarily_unavailableyesas described in OIDC spec*
     
(3) OFS redirects user to Discovery Service    
out of scope **----
     
(4) User selects an IdP    
out of scope----
     
(5) Discovery service notifies OFS of user choice    

5.1 Incoming relay state @OFS not correct

 

YesRP is unknownyesenduser messages described in "Enduser Error messages"
5.2 Selected IdP unknown to OFSYes

 

access_denied

yes

enduser messages described in "Enduser Error messages"

Can we also inform the RP, as well as the enduser?

5.3 Selected IdP not a member of eduGAINYesaccess_deniedno

enduser messages described in "Enduser Error messages"

  • Strictly speaking this is not an error, as we know this can happen.
  • This condition is handled by a seperate endpoint which is the result of a redirect from the DS service to a specific endpoint on our side.

ToDo: NOT an ERROR, but should be logged as failed transaction

5.4 Unsolicited response at disco endpoint at OFS ***out of scopeout of scopenohttp 404?
5.5 Unsolicited response at non eduGAIN IdP endpoint at OFS ***out of scopeout of scopenohttp 404?
     
(6) OFS creates SAML AuthN request for IdP    
6.x Software errors and config problems may trigger errors hereYesCan we also inform the RP, as well as the enduser?yeshttp 418?
     
(7) User Authenticates at IdP    
out of scope----
     
(8) IdP replys with AuthN response to OFS    
8.1 User not authenticatedYes

access_denied

no

enduser messages described in "Enduser Error messages"

RP as described in OIDC spec*

8.2 SAML response not correctYesaccess_deniedno

enduser messages described in "Enduser Error messages"

RP as described in OIDC spec*

8.3 IdP did not sent the expected attributesYesaccess_deniedyes

enduser messages described in "Enduser Error messages"

RP as described in OIDC spec*

8.4 IdP did not sent the expected attribute valuesYesaccess_deniedyes

enduser messages described in "Enduser Error messages"

RP as described in OIDC spec*

8.5 Relaystate modified along the wayYesRP is unknownyes

enduser messages described in "Enduser Error messages"

 


    
(10) Other errors    
10.1 User does not give consentnoaccess_deniednotechnically not an error, but should be logged as a "failed transaction" and the RP must be notified

http://openid.net/specs/openid-connect-core-1_0.html#AuthError; http://tools.ietf.org/html/rfc6749#section-4.2.2.1

** Discovery is handled via discojuice.org

*** The spec does not seem to define how to handle incorrect response of the disco service, see: http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-idp-discovery.pdf

 

Enduser Error messages

ErrorUserfriendly message
5.1 Incoming RelayState @OFS not correct

We could not complete your validation because an error occurred while handling your request.

Please return to the service which initiated the validation request and try again.

(question) Can we insert the URL of the service here based on MDX??

5.2 Selected IdP unknown to OFS

We could not complete your validation because your institution is not connected.

We have recorded this issue and will contact your institution to try and fix this problem.

5.3 Selected IdP is not a member of eduGAIN

We could not complete your validation because your institution is not connected to this service using eduGAIN.

To contact your institution with this information please fill in your name and email address below and select "Send"

<Form field to enter name>

<Form field to enter email>

<capcha?>

<Send button>
6.x Various application errors

We could not complete your validation because an error occurred while handling your request.

Please return to the service which initiated the validation request and try again.

(warning) We should only suggest retrying to the enduser if there is a chance that will actually work, e.g. because it will be handled by another node. If not, because of catastrophic failing, do not redirect the user back to the RP

8.1 User not authenticated

We could not complete your validation because you were not able to authenticate at your institution.

If you think this is an error, please contact <Name of the institution>.

To contact your institution with this information please fill in your name and email address below and select "Send"

<Form field to enter name>

<Form field to enter email>

<capcha?>

<Send button>

8.2 SAML response not correct

We cannot complete your validation because the response from your institution was incorrect.

We have recorded this issue and will contact your institution to try and fix this problem.
8.3 IdP did not send expected attributes

We cannot complete your validation because your institution is not providing the required information.

The following information was missing:

  • Attribute Foo is required
  • Attribute Bar is required

To contact your institution with this information please fill in your name and email address below and select "Send"

<Form field to enter name>

<Form field to enter email>

<capcha?>

<Send button>

 

8.4 IdP did not send expected attribute values

We cannot complete your validation because your institution is not providing the required information.

The following information was missing:

  • The value 'Foo' for 'Attribute Bar' is not supported

To contact your institution with this information please fill in your name and email address below and select "Send"

<Form field to enter name>

<Form field to enter email>

<capcha?>

<Send button>
8.5 Relaystate modified

We could not complete your validation because an error occurred while handling your request.

Please return to the service which initiated the validation request and try again.

(question) Can we insert the URL of the service here based on MDX??

Example error screen

 

  • No labels