Handle error assertion from SFO endpoint

[phavekes]

This issue is imported from pivotal - Originaly created at Jun 17, 2019 by Thijs Kinkhorst

When the authentication at SFO does not succeed, it will return a SAML assertion with a status code, a sub status code and optionally a status message.

Engine should handle this and stop authentication. Present an error screen to the user.

The screen should clearly indicate that the second factor verification failed and that this means we cannot continue. And what the reason was that second factor verfication was attempted (per sp configuration, per idp/sp configuration (might be more reasons in the future).

Handle specific status codes (see https://wiki.surfnet.nl/display/SsID/Second+Factor+Only+%28SFO%29+Authentication under Error Handling):

• User pressed cancel. Say that this is the reason it failed. Tell them to try login again at the SP.
• User does not have a token at the required level. Tell them to register a token. Provide link to page (https://support.surfconext.nl/stepup-noauthncontext) that can be customised with advice e.g. the right link to the selfservice portal.
• Any other error response.

Display the received status codes and message if present.

Estimation: 8 - 12h

[phavekes]

@thijskh could you supply us with the final error messages? (bstrooband - Jul 10, 2019)

[phavekes]

For the error messages it would be useful to have a configurable variable for "SURFsecureID" just like we have %suiteName% now. E.g. "%stepupSuiteName%". If this is a lot of work then we\'ll think of another way to solve this.

Here are the messages.

user canceled

• Fout - Inloggen afgebroken
• Je hebt het inloggen afgebroken. Ga terug naar de dienst als je het opnieuw wilt proberen.
• Error - Logging in cancelled
• You have aborted the login process. Go back to the service if you want to try again.

onvoldoende loa

• Fout - Geen geschikt token gevonden
• Om toegang te krijgen tot deze dienst heb je een geregistreerd token nodig met een bepaald zekerheidsniveau. Je hebt nu ofwel geen token geregistreerd, of het zekerheidsniveau van token wat je hebt geregistreerd is te laag. Volg de link hieronder voor meer informatie over het registratieproces.
• Error - No suitable token found
• To continue to this service, a registered token with a certain level of assurance is required. Currently, you either haven\'t registered a token at all, or the level of assurance of token you did register is too low. See the link below for more information about the registration process.

other sfo error

• Inloggen met sterke authenticatie is niet gelukt en we weten niet precies waarom. Probeer het eerst eens opnieuw door terug te gaan naar de dienst en opnieuw in te loggen. Lukt dit niet, neem dan contact op met de helpdesk van je %organisationNoun%.
• Logging in with strong authentication has failed and we don\'t know exactly why. Please try again first by going back to the service and logging in again. If this doesn\'t work, please contact the help desk of your %organisationNoun%. (Thijs Kinkhorst - Jul 23, 2019)

[phavekes]

All errors should show in the extra information block the saml status message if one is given.

The last error should show all the following in the extra information blocks: saml status code, saml sub status code, saml status message (Thijs Kinkhorst - Jul 23, 2019)

[phavekes]

@thijskh thanks for the messages! (bstrooband - Jul 24, 2019)

[phavekes]

I haven\'ty implemented \'Display the received status codes and message if present.\' yet because of the changes in 5.11. This could be addressed better after the final error page layout changes are done. (bstrooband - Aug 9, 2019)

[phavekes]

Apologies, the texts for onvoldoende loa are slightly wrong.

Following correction requested:

• level of assurance of the token you did register
• het zekerheidsniveau van het token dat je hebt geregistreerd (Thijs Kinkhorst - Aug 20, 2019)

[phavekes]

Need rework (bstrooband - Aug 20, 2019)

[phavekes]

The link does not work (in FF), because of an HTML error (missing `=` after `href`):

<a target="_blank" href"https://support.surfconext.nl/stepup-noauthncontext">

@bstrooband (Thijs Kinkhorst - Aug 23, 2019)

[phavekes]

The mentioned text changes (comment of Aug 20, 4:34 pm) have not been applied (Thijs Kinkhorst - Aug 27, 2019)

[phavekes]

While we are at it, please change the URL for NL to https://support.surfconext.nl/stepup-noauthncontext-nl (extra suffix -nl) (Thijs Kinkhorst - Aug 27, 2019)

[phavekes]

The changes were merged back to the wrong branch. This have been fixed. I directly applied the suggested suffix. (bstrooband - Aug 28, 2019)