Login box (embedded in external portals outside IdP)
Tom Scavo
trscavo at gmail.com
Tue May 6 11:52:08 EDT 2014
On Tue, May 6, 2014 at 11:47 AM, David Bantz <dabantz at alaska.edu> wrote:
> And that of course means your two web site services will have access to
> unencrypted credentials of your users, which, as Dave Perry stated, defeats
> (one of) the points of having an IdP. By soliciting users’ credentials, and
> verifying them by submitting them to the IdP those sites are in effect
> harvesting users SSO credentials. However well intentioned and well
> administered you believe those two web services to be, they pose additional
> risk of exposure or misuse of users’ credentials. Were it mine, I would
> look to configure the IdP to block such requests from those sites.
+1
Tom
More information about the users
mailing list