I have a pega application that users currently access through the standard SAMLAuth authentication service. This works fine for individual users. However, I have a scenario where pega will be running as a mashup in another application. Users of this other application will not be setup as operators in pega. I'd like users coming in from this other application to run under a single system/applicaiton operator that is setup for this purpose. I know that we can send the UserIdentifier and Password as data-pega-action-param-parameters. However, I don't like this option as the id/pass is hardcoded in the html of the hosting application and sent in the clear as a query string parameter.

What suggestions are there to accomplish this? One option I was wondering about is if the application hosting the mashup could get a saml token for a single system/application id and then pass that when calling the mashup and go through the same SAMLAuth auth service as individual users.