If you want to make a website with many different parts, one of the first things you'd want to integrate is user authentication. While you could use a tool such as Drupal that includes a lot of functionality, I decided to try bridging heterogeneous software. Such bridging involves two components: shared data, allowing many applications to authenticate against the same credentials, and shared sessions, allowing users to easily sign in/out just once for every application. Here are some opensource options:

• OpenID
  allows applications to accept identities from many different providers
• Central Authentication Service (CAS)
  provides proxy authentication by redirecting application login to a central login service
• Shibboleth
  provides proxy authentication as CAS does, as well as shared attributes about users

In general, OpenID provides proxy authentication without shared sessions. You could have each of your applications authenticate against your own identity provider, but the user would not be automatically signed in. With CAS, you get single sign-on, but you cannot share user information among all the different applications (unless you use some shared database such as MySQL or LDAP). Shibboleth and OpenID allow attribute sharing, effectively allowing applications to access the same user information.

Each framework has its strengths, but you could potentially put them together if you wanted to: use CAS/Shibboleth for SSO in your own applications, and use OpenID to export user identities to other people's applications. You could even accept third-party OpenID in your CAS/Shibboleth authentication, but you'd probably be better off using just OpenID in this case.

Anyhow, I decided to go with CAS. It's a Java program, which I don't like, and there is a strong Ruby alternative known as RubyCAS (and a Python package called anz.cas). However, I use Wordpress and that provides many features used in a CAS identity provider. Sure enough, there's a plugin for that. I had to edit it a bit, but it works pretty well.

Does anyone else have experience with this stuff?

Facebook&co do something similar. It works well, but only if you want to outsource your account management. Not everyone is prepared to relinquish control over this, especially when rigorous standards of identity are involved.