Handle incorrect password

[nawatts]

When attempting to authenticate with an incorrect password, sendIdpRequest fails with:

2016-03-11 17:13:44.120 [Debug] [ECP.swift:67] sendIdpRequest > Error
   Domain=NSXMLParserErrorDomain
   Code=65 "(null)"
   UserInfo={
      NSXMLParserErrorColumn=50,
      NSXMLParserErrorLineNumber=1,
      NSXMLParserErrorMessage=Space required after the Public Identifier
   }
The operation couldn’t be completed. (NSXMLParserErrorDomain error 65.)

It seems AEXML does not parse the response from the IDP in Alamofire+ReactiveCocoa's XMLResponseSerializer. The response from the IDP is:

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>401 Authorization Required</title>
</head><body>
<h1>Authorization Required</h1>
<p>This server could not verify that you
are authorized to access the document
requested.  Either you supplied the wrong
credentials (e.g., bad password), or your
browser doesn't understand how to supply
the credentials required.</p>
<hr>
<address>Apache/2.2.15 (Oracle) Server at idp.clemson.edu Port 443</address>
</body></html>

It seems like the 401 response (assuming the IDP is actually sending 401 as the status code) should be caught and returned as an error with a user friendly message.

[nawatts]

Closed with a6fadd0.

[nawatts]

The ECP spec mentions the case where the IDP responds with an HTML form.

The SAML request is submitted via the SAML SOAP binding in the usual fashion, but the identity provider MAY respond to the client's HTTP request with an HTTP response containing, for example, an HTML login form or some other presentation-oriented response. A sequence of HTTP exchanges MAY take place, but ultimately the identity provider MUST complete the SAML SOAP binding exchange and return a SAML response.

However, the use of HTML and a presentation-oriented interface for authentication is NOT RECOMMENDED. Identity providers and clients SHOULD support the use of SOAP- or HTTP-based authentication mechanisms that can be implemented without (or with minimal) user interface support.

I'm not sure how this should best be handled. In the case where the ECP endpoint is protected by Apache, sending another request should just get back the same HTML form.

[nawatts]

I think the proper way to handle this is to assign an NSURLSessionTaskDelegate to the IDP request and implement the didReceiveChallenge method to cancel the challenge.

https://developer.apple.com/library/prerelease/ios/documentation/Foundation/Reference/NSURLSessionTaskDelegate_protocol/index.html#//apple_ref/occ/intfm/NSURLSessionTaskDelegate/URLSession:task:didReceiveChallenge:completionHandler: