see Shibboleth here at university i login *once* and am authenticated via local mechanism. i can now visit napster and they recieve something like:

SHIB-USER: 76e4f594477c4121b3b560548dc8229e@uni.edu
SHIB-AFFILIATION: member@uni.edu
[download]

so they don't really know who i am, only that i'm from the uni and have a uniq-id. an internal uni site might recieve:

SHIB-USER: me@uni.edu
SHIB-AFFILIATION: member@uni.edu, staff@uni.edu
[download]

and an internal department site might recieve:

SHIB-USER: me@uni.edu
SHIB-AFFILIATION: member@uni.edu, staff@uni.edu
SHIB-DEPARTMENT: Information Services
SHIB-EMPLOYEE-ID: 85493
SHIB-OFFICE-EXT: x74393
[download]

Shibb has had some growing pains but has gotten much better the past year or so. the auth parts are handled by an Apache module so the application just needs to pull the info from the environment variables. Shibb could be used to allow Perl Monks, PAUSE, cpanforum and others to trust eachother without sharing passwords back and forth.