Just to add some closure, here is the (edited) response to my question from the other organization regarding this:
This is not how we had originally designed it. We wanted the
vendors to force the user to log in. To the best of my
knowledge all of the vendors have written the real-time transfer
as you have mentioned. If you are going to send the information
this way then the user id owner must realize that he/she is
taking the responsibility and if there is any breach of
security then the user id owner will be the person that
is contacted.
So in this case it would seem my assumptions are allowed (if not correct).
I plan to do one step better than the 'other vendors' by having my application require the user to enter the other organization user/password the first time it needs access, rather than defaulting it in the configuration. At the very least this will remind users that there is another system involved without un-necessarily inconveniencing them for the rest of their logged in time.