Assurance

[Eric Goodman <>]

On Mon, Jan 23, 2012 at 8:32 PM, Cantor, Scott <> wrote:

On 1/23/12 9:15 PM, "Tom Scavo" <> wrote:
>
>> What do you do in this scenario?
>
>I don't think the scenario is very realistic since SAML Web Browser SSO
>usually involves a user in possession of a browser and an authentication
>secret.

Not very realistic in what sense? I have a vendor demanding such an account right now. Maybe it's not common, but it's not a thought exercise!

 

People use monitoring accounts with strong passwords all the time, but

that said, I wouldn't give a vendor the ability to do that. If they wanted
to monitor their application, they should run their own IdP to do it, or
have a back door. It's not their job to monitor my IdP.

-- Scott

That's my feeling as well, though from the vendor's PoV they are testing communication between my IdP and their SP, so I know they'll complain about running a different IdP (and even if they did, I don't see how they could assert Silver IAQ from their own IdP).Obviously, this vendor hasn't built any backdoor for the monitoring application to use either.

But I do appreciate the feedback!

Thanks,

--- Eric