Some identity providers (IdPs) provide an errorURL attribute for their users for situations where the IdP has not provided all the information the SP (you) expected. Providing it is mandatory for IdPs in some federations (e.g. InCommon) and optional in others; it is unlikely to be mandated that SPs use it, but federations are likely to encourage it as it will improve the UX when there are access problems.
You will see it as a claim called
Issuer.errorURL and in the unlikely event that you have something else mapped to that claim name, your mapping will be overridden.
What it is for
You can add this link to your error message so that if the problem is at the IdP end, the end user has the option to follow it back to their home organisation to report the problem.
What it is not for
It is not, of course, a replacement for your own error message and users should not be simply redirected to it as they will have no context.
Examples of when you might include this link in your error message:
- The claims / attributes you received do not include the ones you needed - e.g. you need role but they're not sending it for this user
- The values of the claims you received do not include the ones you needed - e.g. they're sending role, but none of the values are 'member', 'staff' or 'student'
There are usually some standard parameters specified in the URL that you can include values for. OpenAthens IdPs will have tokens in the link for:
These should be used as defined at https://refeds.org/specifications/errorurl-v1