Don’t have time to make this detailed yet, but experimenting with SAML (Security Assertion Markup Language). For some fun, setup your own IdP by following the first two links:
Once that works, upgrade to a 30-day free trial of a Google Premiere account. All of the steps for Google Apps for Education apply equally well to a Premiere account. I haven’t tested yet whether the SAML settings remain in-place once the free trial is over.
This is a really neat capability, however. I can now be in charge of authenticating users for my Google Apps domain however I want. I.e., it doesn’t have to be passwords, and I also don’t have to expose the exact same identity to every site. I.e., if I trust my own identity provider, then I can have single sign-on without two different service providers (i.e., websites I actually want to visit) necessarily being able to tell that the same user is accessing both sites (modulo network monitoring, timing, and other ways of correlating traffic).
I hope to explore this in more detail and write about it.
A very interesting Identity Provider (IdP) is id.wave.com. You can create an OpenID and access sites that use OpenID, and you can also access sites that use SAML for single sign-on. Notably, Google Apps is one such site that allows users to authenticate via SAML (if you have a Premiere or Education account).
Also interesting, is that id.wave.com is capable of authenticating users based on public-key credentials stored in their system’s TPM chip. If your system includes Dell Embassy Trust Suite by Wave Systems, then a small browser plugin to IE 8 will enable seamless authentication without passwords.