There are two schools of thought here. In some implementations, if an error is detected at the identity provider (IdP) site an error status SAML response is returned to the service provider (SP). In other implementations, no SAML response is returned and instead control remains at the IdP site. For example, it might redirect the user to an error page. Both approaches are reasonable,
We don't automatically send an error status SAML response as this then gives you the option either to do so yourself or to keep control at your site.
So, if any exception is thrown, the option is to either send an error status SAML response to the SP or to keep control at the IdP site by redirecting to an error page etc. The choice is yours although in our experience many implementations don't send the error status SAML response and instead redirect to an error page.
Regards ComponentSpace Development
|