B. is concerned (and rightfully so) that nobody is thinking about audit issues related to federated IdM. He asks:
Are there any standards, or is there any organization that does audits of "federated" IdM systems. [We] are rushing into deploying a federated IdM, built around Shibboleth. I am concerned that very few institutions have done internal identity audits, and nobody is thinking about issues related to federated IdM.Is this an area for concern? Even if the technology is solid, how do you confirm that it's implemented correctly? Are there organizations that will put a meaningful stamp of approval on individual implementations? Across organizations?