...
- A site administrator for an organization may not function as a delegated administrator for the same organization.
- A delegated administrator may not upload a certificate (for security reasons). (MDADMIN-51)
- A site administrator is provided with limited information on which to base an approval decision. (MDADMIN-61)
- A site administrator is unable to constrain the update capability of a particular delegated administrator. (MDADMIN-56)
Security Considerations
For delegated administrators, the Federation Manager recognizes federated credentials only (no local credentials are issued to delegated admins). Currently there are no explicit assurance requirements associated with these credentials. Since a trusted site administrator must approve any metadata update request submitted by a delegated administrator, it is thought that this approval process mitigates against any weakness in the delegated administrator's login credentials.