Indicate unable to verify returning site

[Bojhan]

Seamless access in some cases will not know if users are send back to an "approved" URL.

SP's are requested to publish the allowed URLs a discovery service can send responses back to, however they are not required to do so - and thus it happens that we cannot verify. Given that this poses a security risk, we need to signal this to users.

We see three scenario's:

1. DiscoveryResponse info and the return URL is among them; UI should indicate that all is good;
2. DiscoveryResponse info and the return URL is not among them; UI should indicate that not all is good
3. DiscoveryResponse info and the return URL is not among them; UI should indicate that user should check themselves.

Given that we should not indicate that all is good, 1) is covered by our current flow.

For scenario 2/3 we will send the same message, the fact that we cannot identify return path from the origin.

The Continue button will send them back to the previous interaction/page.

[Bojhan]

Final comments here:

• the wording "access path" will be subject to some user-testing from my side.
• the link will go to a page on SA documentation
• Continue goes back to the previous page.