SSO / Authentication Server

I have a project with the purpose of exposing multiple web applications over the internet. These applications are build using IIS/DotNet and Apache/Php.

The internet user should log-in in only one place, and then be able to access any aplication. What are the posible solutions to this scenario? One requirement is that changes to existing applications be minimum and another is to use ActiveDirectory for user management.

I have found so far the following solutions:

• use a reverse proxy (COTS product) to publish web applications to the internet, and the proxy should take care of authentication/SSO
• using forms authentication and a domain wide cookie; this solutions requires changes to existing applications and manual log in in AD
• create a new application using forms authentication and after user enters credentials into this application, use these credentials to send a XMLHttpRequest to another applications (this will log in the user)
• use client certificates, so that when a user connects to an applications, his certificate will handle the log in process; this approach has a problem when there is more than one certificate installed in 开发者_如何转开发the client browser because the browser will ask the user to choose a certificate (and this will happen for every app)