...
- username and password.
- kerberos
- X509 certificate
- self-issued token
We chose to implement the username/password because it's the most common way people use SSO. It's easiest to implement, and works for everyone.
Kerberos would probably work for people with IE browsers using MS cardspace and a KDC in common with the IP. Probably not for anyone else.
Certificates and self-issued tokens are a convenience to the user. Either uses a public/private key mechanism and would require registration and a database at the IP, with all the accompanying maintenance and clustering headachesWe also implement the self-issued token because it's popular, at least with testers - and convenient for users.
Do not support Kerberos.
Do not support Certificates.
Attributes
On the card
The card lists all the attributes it can provide.
...