Skip to main content
Skip table of contents

The errorURL attribute and what it is for

Some identity providers (IdPs) provide an errorURL attribute for their users for situations where the IdP has not provided all the information the SP (you) expected. Providing it is mandatory for IdPs in some federations (e.g. InCommon) and optional in others; it is unlikely to be mandated that SPs use it, but federations are likely to encourage it as it will improve the UX when there are access problems. 

You will see it as a claim called Issuer.errorURL and in the unlikely event that you have something else mapped to that claim name, your mapping will be overridden. 

What it is for

You can add this link to your error message so that if the problem is at the IdP end, the end user has the option to follow it back to their home organisation to report the problem.

What it is not for

It is not, of course, a replacement for your own error message and users should not be simply redirected to it as they will have no context.

Examples of when you might include this link in your error message:

  • The claims / attributes you received do not include the ones you needed - e.g. you need role but they're not sending it for this user
  • The values of the claims you received do not include the ones you needed - e.g. they're sending role, but none of the values are 'member', 'staff' or 'student'

There are usually some standard parameters specified in the URL that you can include values for. OpenAthens IdPs will have tokens in the link for:

  • ERRORURL_CODE
  • ERRORURL_TS
  • ERRORURL_CTX
  • ERRORURL_TID
  • ERRORURL_RP

These should be used as defined at https://refeds.org/specifications/errorurl-v1

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.