In my organisation many of the java web apps use acegi (spring security) filters to detect if a user has logged on. If users have not logged on they are redirected to a central CAS logon page which transparently logs them on with their windows domain credentials (if they are using IE, if firefox, they manually type in their details). Then they are redirected back to the page they came from.

This works well because individual web apps dont have to worry about the logon mechanism, or writing logon pages with NTLM HTTP authentication.

Could crowd provide a facility like this? The web page (assuming IE) should log users in automatically, and redirect them to the application url they came from. If they logged in successfully, crowd would then issue a cookie - allowing all apps participating in sso to be logged in.