identigral's comments

https://github.com/yaelwrites/Big-Ass-Data-Broker-Opt-Out-Li... is a useful place to start for opting out. As of this writing, this list does not include Airlines Reporting Corporation (ARC), a data broker mentioned in the article.

This is a good summary of a novel we've been writing based on our experience of tackling similar issues with clients. Working title: Misaligned Incentives. The best real-world solutions we've seen address this issue head-on by providing tangible incentives to the user in such a way that motivates them to act and doesn't harm the overall business objective. Example: product/service discount in a form of a coupon if you register a 2nd auth factor. Finding that balance is challenging, it is very context-sensitive. Selling it to the service owners is even more fun.

If your app is .NET, look at Sustainsys (https://saml2.sustainsys.com/en/2.0/) or ITFoxtec (https://www.itfoxtec.com/IdentitySaml2) libs. Unfortunately there isn't a clear architect/dev-level guidance at the protocol level on key decisions that need to be made when implementing SP that tightly integrates with your app. Give one of these a shot and post your questions on StackOverflow.

If your language/environment supports using Apache HTTPD as a proxy, then you can use mod_auth_mellon to secure your web application. That's just one option, there are lots of others.

For a technical intro to SAML, the best place to start is the original OASIS Technical Summary doc at http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-t... . It's still very much relevant and it doesn't gloss over important details (profiles as a central concept, profiles other than web browser SSO [such as single logout], multiple bindings in a profile, etc)