RE: [security-services] Question regarding SAML error codes...

["Ahmed, Zahid" <zahid.ahmed@commerceone.com>]

I would agree that it would be very useful to have a rcihers set of error
codes associated with SAML processing.
 
Infact, if these new error codes could also be applicable to SAML/SOAP
binding (which WSS TC is working on) that would help error processing
interop for SOAP/SAML apps as well.
 
thanks,
Zahid

-----Original Message-----
From: Carlisle Adams [mailto:carlisle.adams@entrust.com]
Sent: Monday, February 03, 2003 2:31 PM
To: 'rphilpott@rsasecurity.com'; 'pmishra@netegrity.com'
Cc: 'security-services@lists.oasis-open.org'
Subject: [security-services] Question regarding SAML error codes...



Hi, 

I recently received a question from a SAML developer regarding error codes.
Specifically, the developer was asking for 

"...more detailed error information. Saml 1.0 leaves most of it to the
vendors, which means automated error recovery (and possibly troubleshooting)
is going to be difficult in multi-vendor environments."

When I asked for examples of what would be helpful, I got the following
response: 

I think there could be a code for each item in the message that might fail.
Currently, the only specific error codes have to do with version mismatches
and one about too many elements to be returned. 

*	digital signature validation failed (could get more specific wrt
unknown signer DN, cryptographic problems, etc) 

*	missing digital signature 

*	bad artifact 

*	unknown sourceID 

*	unknown/expired assertionHandle (perhaps this isn't an error... for
some reason, you're supposed to return "success" even if you can't/won't
generate an assertion. I think there are different subcases here, and some
are errors) 

*	request issueInstant is in the future 

*	request issueInstant is too far in the past (these two indicate a
clock sync problem) 


Would it be possible to discuss this briefly on tomorrow's call and see if
there's any desire to include something along these lines in the 1.1 time
frame?

Carlisle.