...
Auth framework SAML is a little bit of a different flavor than Single Signon (SSO) SAML - so there isn't a username/password in the exchange SAML. Unless you are only exchanging with a set of predetermined partners, there is no way to know which users will be attempting to query your exchange.
Suggestion: Develop a set of policies to accept or deny messages based on the information that is in the exchange SAML (Subject ID, Subject Organization, Subject Role, Purpose Of Use, Home Community ID, Organization ID, Resource ID (Optional), National Provider Identifier (Optional)), and then implement a custom CONNECT policy engine adapter to enforce these policies. If a message is OK (per your policies) then you would have some assurances and feel safer about using a single username and password to communicate with your service.
How can we implement/Setup MPI?
...