Centralizing Error Processing for the SAMLv2 Service

A centralized error processing URL is now supported to display all error conditions caught during SAMLv2 protocol processing. (This URL does not handle external application errors - only those thrown by the OpenSSO SAMLv2 Service.) By default, the error processing URL points to saml2error.jsp, a JavaServer Page (JSP) that ships with OpenSSO. saml2error.jsp can be found in the /saml2/jsp directory inside the exploded opensso.war.

How Does It Work?

The error processing URL provides the path to which a user agent is redirected or forwarded when a SAMLv2 processing error occurs. The Error Processing URL attribute is configured using the OpenSSO console. Out-of-the-box, saml2error.jsp is hosted within the OpenSSO WAR. It (or any customized page) can also be hosted with the external customer application.

  • If the page is hosted within opensso.war, a forward is used to send the user agent to the URL. In this case, the value of the Error Processing URL attribute is /saml2/jsp/saml2error.jsp. (This is the default configuration.)
  • If the page is hosted outside of opensso.war, a redirect is used to send the user agent to the URL. In this case, the value of the Error Processing URL attribute is a URL like 
    http://www.your-app.com/app/saml2error.jsp

    and must be modified as documented in To Configure the Error Processing URL Attribute.

Which Parameters are Sent?

Three query parameters that define the error condition are sent to the error processing URL.

  • errorcode is the I18n key of the error message. See SAMLv2 Error Messages for a list.
  • httpstatuscode is the HTTP status code of the error.
  • message contains the details of the I18n error message.

To Configure the Error Processing URL Attribute

  1. Login to the OpenSSO console as administrator; by default, amadmin.
  2. Click the Configuration tab.
  3. Click the Global tab.
  4. Click the SAMLv2 Service Configuration link.
  5. Enter the appropriate URL as the value for the Error Processing URL attribute and click Save.
  6. Log out of the console.

SAMLv2 Error Messages

Following are a list of the SAMLv2 error codes.

  • nullSPEntityID : Service provider entity identifier is blank.
  • nullIDPEntityID : Identity provider entity identifier is blank.
  • idpNotFound : Identity provider (using the SourceID in the artifact) is not found.
  • requestProcessingError : Error processing AuthnRequest.
  • failedToProcessSSOResponse : Failed to process the single sign-on response.
  • nullInput : Blank input.
  • requestProcessingMNIError : Error processing ManageNameIDRequest.
  • nullRequestType : Request Type is not specified.
  • nullSSOToken : No SSOToken is found.
  • LogoutRequestProcessingError : Error processing LogoutRequest.
  • LogoutResponseProcessingError : Error processing LogoutResponse.
  • largeContentLength : Length of the content in the SOAP request is too long.
  • errorMetaManager : Error getting an instance of the metadata manager.
  • metaDataError : Error retrieving metadata.
  • nullSessionProvider : Session Provider is not specified.
  • SSOFailed : Single sign on failed.
  • LogoutRequestCreationError : Error creating LogoutRequest.
  • nullAssertionID : No AssertionID specified.
  • failedToGetAssertionIDRequestMapper : Error retrieving the AssertionID request mapper.
  • failedToAuthenticateRequesterURI : Failed to authenticate the requester using the URI binding.
  • invalidAssertionID : Invalid AssertionID value.
  • invalidAssertion : Invalid Assertion.
  • unsupportedEncoding : Character encoding used is not supported.
  • MissingSAMLRequest : SAMLRequest ID is missing from the HttpRequest.
  • nullDecodedStrFromSamlResponse : Decoded string from LogoutResponse is null.
  • nullIDPMetaAlias : Identity provider metaAlias is null.
  • metaDataError : Error retrieving the metadata.
  • invalidSOAPMessage : The SOAPMessage sent by the client is not valid.
  • unableToCreateArtifactResponse : Unable to create a SAMLv2 ArtifactResponse.
  • LogoutRequestCreationError : Error creating a LogoutRequest.
  • UnableToRedirectToAuth : Unable to redirect to the Authentication Service URL.
  • errorCreateArtifact : Error creating the Artifact.
  • failedToSendECPResponse : Failed to send ECP response.
  • notSupportedHTTPMethod : The specified single sign-on profile is not supported.
  • missingArtifact : The SAMLArt is missing from the HttpRequest.
  • errorObtainArtifact : Could not obtain the Artifact from the HttpRequest.
  • failedToGetIDPSSODescriptor : Failed to get SSODescriptor element from the identity provider metadata.
  • errorCreateArtifactResolve : Could not create an ArtifactResolve.
  • errorInSOAPCommunication : Could not obtain the ArtifactResponse due to an error in SOAP communication.
  • cannotFindIDP : Could not find the identity provider based on the Artifact string.
  • cannotFindArtifactResolutionUrl : Could not find the identity provider's Artifact Resolution URL.
  • soapError : Error occurred in SOAP communication.
  • failedToCreateArtifactResponse : Failed to create the ArtifactResponse object.
  • missingArtifactResponse : ArtifactResponse is missing from SOAPMessage.
  • invalidSignature : Invalid signature in the ArtifactResponse.
  • invalidInResponseTo : Invalid InResponseTo attribute in the ArtifactResponse.
  • invalidIssuer : Invalid Issuer attribute in the ArtifactResponse.
  • invalidStatusCode : Invalid StatusCode attribute in the ArtifactResponse.
  • failedToCreateSOAPMessage : SOAPMessage was not created.
  • failedToCreateResponse : Response was not created.
  • assertionNotSigned : SAML Assertion is not signed.
  • missingSAMLResponse : SAMLResponse is missing from the HttpRequest.
  • errorObtainResponse : Couldn't obtain SAMLResponse from the HttpRequest.
  • errorDecodeResponse : Error decoding the SAMLResponse in the HttpRequest.
  • invalidHttpRequestFromECP : Invalid HttpRequest from the ECP.
  • failedToProcessQueryRequest : Failed to process the query request.
  • failedToCreateAssertionIDRequest : Could not create the AssertionIDRequest.
  • nullPathInfo : No URI path information found in the request.
  • invalidMetaAlias : Entity's metaAlias is invalid.
  • failedToCreateAttributeQuery : Unable to create the AtributeQuery object.
  • failedToCreateAuthnQuery : Unable to create the AuthnQuery object.
  • nameIDMappingFailed : Name identifier mapping failed.
  • failedToInitECPRequest : Failed to initiate the ECP request.
  • singleLogoutFailed : Single logout failed.
  • nullRequestUri : The request URI is not specified.
  • invalidRequestUri : Unable to determine federation protocol based on the request URI.
  • noRedirectionURL : No redirection URL is specified.
  • readerServiceFailed : Reader service failed.
In This Article

Labels

saml2 saml2 Delete
auditing auditing Delete
errors errors Delete
administration administration Delete
Enter labels to add to this page:
Please wait 
Looking for a label? Just start typing.

Sign up or Log in to add a comment or watch this page.


The individuals who post here are part of the extended Sun Microsystems community and they might not be employed or in any way formally affiliated with Sun Microsystems. The opinions expressed here are their own, are not necessarily reviewed in advance by anyone but the individual authors, and neither Sun nor any other party necessarily agrees with them.

Copyright 1994-2009 Sun Microsystems, Inc.
Powered by Atlassian Confluence Sun Guidelines on Public Discourse Privacy Policy Terms of Use Trademarks Site Map Employment Investor Relations Contact