Once Shibboleth is working reliably, there are two very common run-time errors that typically happen as a result of problems at the SP end:

Clock skew problems
Malformed AuthnRequest URLs caused by broken redirection logic

Clock skew can't generally be detected at the IdP end because it usually causes failures at the SP while creating new sessions. The second problem, however, usually manifests as an error at the IdP, because a required parameter is missing, such as shire or target.

Since there's nothing the IdP support staff can do to resolve the issue, it usually does no good to have the user report the error there, even though that's the natural thing to do when the IdP software reports a problem. As of 1.3.1, you can alter this behavior and report a different message to the client that may be more useful.

Configuration

To enable the feature, simply add an attribute to the <IdPConfig> element in the IdPXml file:

<IdPConfig ... blameSP="true" ...>

When a malformed AuthnRequest is detected, a special error template called IdpErrorBlameSP.jsp is used to report the problem, allowing you to customize the message users will see.

Browser not supported