Test Accounts (Per -- Local/Internal IdP Login Account)

[Cantor, Scott]

On 7/31/19, 1:32 PM, "users on behalf of Joshua Brodie" <users-bounces at shibboleth.net on behalf of josbrodie at gmail.com> wrote:

> For test accounts -- could 'ImpersonateInterceptConfiguration' be an option -

Yes, depending on your attribute story. I pitched it here once or twice as an option if we wanted to create test identities in our IDM that didn't have passwords set as a security measure.

But yes, it points out that authentication is really not the issue with test accounts, it's the data that's the problem, and in the end it's all production, not test. Data just has the meaning you choose to give it, and you have to carefully think about it end to end before doing anything, unless it's closely held.

So, no, I would never issue a test account to a vendor in any real sense. Not without an end to end strategy with security controls on the usage to limit it to specific services and a careful plan for what the data would look like.

I just tell vendors that ask that I don't need them to test my system, I need to test theirs. If they need a test account in my IdP to debug their own software, that tells me a great deal about how they do things and what my expectations should be.
 
-- Scott