Test Accounts (Per -- Local/Internal IdP Login Account)
NAINI, NIKHIL
NAINI at mailbox.sc.edu
Wed Jul 31 14:05:15 EDT 2019
> I just tell vendors that ask that I don't need them to test my system, I need to test theirs.
I very much share the thought process, but the application (team) requesting the integration either gives them an admin account or keeps pestering us to provide a test account. To get out of this endless loop for every new integration, I thought it might be easier to just get a dummy account with dummy data setup on a local instance (Apparently CAS SSO has this feature, but I'm not entirely sure about the technical details involved).
>From a timeline perspective, I did read the expected completion to IdP V4 is Q4, 2019, but can anyone comment on its progress? We're considering upgrading from 3.3.1 to 3.4.4, might just wait for V4 to show up if that's gonna be before Dec 2019.
-----Original Message-----
From: users <users-bounces at shibboleth.net> On Behalf Of Cantor, Scott
Sent: Wednesday, July 31, 2019 1:56 PM
To: Shib Users <users at shibboleth.net>
Subject: Re: Test Accounts (Per -- Local/Internal IdP Login Account)
On 7/31/19, 1:32 PM, "users on behalf of Joshua Brodie" <users-bounces at shibboleth.net on behalf of josbrodie at gmail.com> wrote:
> For test accounts -- could 'ImpersonateInterceptConfiguration' be an option -
Yes, depending on your attribute story. I pitched it here once or twice as an option if we wanted to create test identities in our IDM that didn't have passwords set as a security measure.
But yes, it points out that authentication is really not the issue with test accounts, it's the data that's the problem, and in the end it's all production, not test. Data just has the meaning you choose to give it, and you have to carefully think about it end to end before doing anything, unless it's closely held.
So, no, I would never issue a test account to a vendor in any real sense. Not without an end to end strategy with security controls on the usage to limit it to specific services and a careful plan for what the data would look like.
I just tell vendors that ask that I don't need them to test my system, I need to test theirs. If they need a test account in my IdP to debug their own software, that tells me a great deal about how they do things and what my expectations should be.
-- Scott
--
For Consortium Member technical support, see https://protect2.fireeye.com/url?k=283e002e-74affd98-283e4eef-ac1f6b0e677a-fca57723a59b8e6c&q=1&u=https%3A%2F%2Fwiki.shibboleth.net%2Fconfluence%2Fx%2FcoFAAg
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
More information about the users
mailing list