- the most legal-friendly way is to let SP operators initiate the test, this way the SP operator cannot oppose to the test; then submits a report with the results (e.g. as a part of a mandatory yearly check up to the federation operator)
or
- the federation operator makes it mandatory in terms & conditions that they can run a well-defined set of tests, in well-defined way (how often etc.)