Alleviating the Password Explosion Problem

Don't you just hate it when your password explodes, letting the magic smoke out of your server, and setting lp0 ablaze?

In all seriousness, the number of places a person needs a username and password is increasing dramatically. It looks like OpenID won't be solving the problem in the near future, and Single Sign-On seems more like a goal than a reality internally, even disregarding the great big net out there.

I just came from a meeting wherein I was told that we've paid for access to several external sites, and want to lower the bar and increase the likelihood that staff (and students) will make use of these resources. Those speaking felt that our top five- to ten-percent of users might make use of the sites, but if we could provide a way to log people in to the sites (and give them a launching-off page) that the uptake might increase dramatically (and that we could save tech support money but not having to help people when they forget their passwords.)

What are you doing about this problem in your organization? Are there any sensible approaches?

Kerberos gets you 90% there. Then you've got to get your browsers passing kerberos tokens to internal websites (look in about:config on Mozilla variants, search for "nego" to see the preferences).

After that, RADIUS-type authentication for the things that require passwords, or LDAP.

We're making extensive use of the Central Authentication Service (wikipedia entry). It has plug-ins for a lot of things, and we've managed to use it for services that have separate identity information per-user. I believe it can also be used for services where there is a generic login to a site.