Tag entityID not usable in error templates

See https://issues.shibboleth.net/jira/browse/SSPCPP-465

A few points:

• the entityID should be set any time it can be

• the RequestMapper never directly sends anybody to an error template

• accessError never gets used by default, it's only used if you override the behavior of the system when access control plugins fail to go there instead of just returning a Forbidden status

What you're trying to do is what the new post SSO hook feature and AttributeChecker handler is designed for, and that uses a real session and always has entityID set per normal. Or should anyway, I'll check it.

With 2.5, you also have full control over the extraction of the entityID into a custom attribute, so you can treat it in that fashion to get around any limitations as well.

I'll check on a couple of things, but I don't think whatever you're seeing is something I could reproduce. Once a session exists, entityID should be set.

I'd suggest you take any issues with the alpha not behaving as you expect to the dev list and I can figure out if it's working or not or you can file new issues.

I would like to reopen this and set higher than "Trivial": I just installed 2.5 alpha and still get an empty EntityID. SAML2 User Session is being created, and RequestMapper sends user to accessError.html because some attributes are missing. However, the <shibmlp entityID/> tag is empty when the browser shows that file. It's non-trivial for me because I'd like to rely upon that tag in further processing (entering the missing attributes at another SP where the user's IdP must be known) and not just for a nice display.

http://svn.shibboleth.net/view/cpp-sp?rev=3571&view=rev

Cleaned up SAML 1 error handling path, and expanded annotation of exceptions during ACS processing to pick up issuer info when possible.

I don't think it tries to limit that 100% of the time, it probably depends on the error. But I'd have to look at the code.