Login box (embedded in external portals outside IdP)

Tom Scavo trscavo at gmail.com
Tue May 6 11:52:08 EDT 2014

On Tue, May 6, 2014 at 11:47 AM, David Bantz <dabantz at alaska.edu> wrote:
> And that of course means your two web site services will have access to
> unencrypted credentials of your users, which, as Dave Perry stated, defeats
> (one of) the points of having an IdP.  By soliciting users’ credentials, and
> verifying them by submitting them to the IdP those sites are in effect
> harvesting users SSO credentials.  However well intentioned and well
> administered you believe those two web services to be, they pose additional
> risk of exposure or misuse of users’ credentials.  Were it mine, I would
> look to configure the IdP to block such requests from those sites.



More information about the users mailing list