* John P. Szkudlapski <[log in to unmask]> [2009-08-19 16:41]: > We have tackled it by having a guest account on our AD, with a > specified password, which we set to expire a day after contacting > the relevant company. Setting up test accounts sometimes doesn't work for us, since they may be missing required attributes that are only generated for actual people with e.g. active employment status, based directly on data sourced from the system of record (HR system). And creating ficticious people with ficticious jobs and functions in upstream systems isn't something we like to do. If I can't slip those attributes in somewhere (e.g. an intermediary system, metadirectory, person registry, etc.; these entries also tend to be forgotten, since the entry itself might be legitimate, but their additional attributes are not) I could also fabricate them in the Shib config (a static DataConnector comes to mind). Which requires either always auto-reloading the relevant part of the config (possible at least with the 2.x IdP) or a restart of the context or container, which will nuke all IdP sessions (unless you're running a cluster), so that's not really desirable as well. -peter