According to D5.8.1b Interface Specification v1.2.3_rev5.doc: If the subordinate status code is included in the response, then the status message must be the one corresponding to the subordinate status code, not the top-level status code. Our test team has the following suggestion: if the status code instead of an error number is shown (cf. OSOR bug 14462 https://forge.osor.eu/tracker/index.php?func=detail&aid=14462&group_id=1...), it should be the most specific one (e.g. urn:oasis:names:tc:SAML:2.0:status:AuthnFailed and not urn:oasis:names:tc:SAML:2.0:status:Responder, so that it more closely corresponds to the error message shown to the user.
| Hardware | None |
| Product | None |
| Operating System | None |
| Component | None |
| Version | None |
| Severity | None |
| Resolution | None |
Comments