User is shown confusing technical error message when they refuse/can't do MFA (e.g., in eduID)

[baszoetekouw]

When an IdP is configured (in manage) to require a specific ACCR fot a service, and the MFA login fails for some reason, Engineblock shows this generic error message to the user:

While technically correct, it would be nice if we could make this specific error a bit more readable for regular users. For me it was not entirely clear on first glance that this was an MFA error. Regular users probably have no idea what is happening here.

To reproduce:

• connect an SP to eduID and configure Refeds MFA for this connection
• log into the service but in eduID refuse to install the app or login with a token
• EB shows this error.

[thijskh]

We have this error screen available in Engineblock. This is shown when said setting is configured but the IdP does not report back that the ACCR has been used in authentication. This is what the majority of our IdP's implement:

I understand your request as that when receiving NoAuthnContext from the IdP, it should also display this screen instead of the generic "SAML Error response received" message above, correct?

It seems a bit of a corner case, because (like with wrong password), the IdP can present a more clear error message to the user than we can. Is it not better to fix this in the IdP?

[baszoetekouw]

If this is indeed specific to EduID, I agree that it would be nicer to fix it there (i.e., make eduID shown an error instead of redirecting the user with a SAML errror message).