One of the interesting aspects of distributed computing is the determination of where to authenticate. Today, we have options for authenticating to our local client, to some "perimeter" device (say a VPN or even an 802.1x router), to the server operating system, to the database, and to the application. And don’t forget somewhere in between .
The decision is interesting because we get closer to single sign on the closer we get to the user yet extremely sensitive applications are likely to want what they perceive to be as stronger security by locating it directly at the application or data level.
Of course, federation is becoming in vogue to attempt to proxy authentication anywhere and everywhere, but we shouldn’t completely ignore the difference between a proxied authentication event and a direct one. I think in some cases, we can’t tell the difference…