External authentication/authorization for CakePHP

We are considering options for implementing a single sign-on for a few web applications, of which some are CakePHP (1.3) and others are not. I'm hoping for advice or comments from people who have done this before.

Here's the idea: Access to the CakePHP app is controlled by the server AuthType. If the user isn't authenticated, they can't access the app at all, and instead get kicked back to the SSO login page. If they then login successfully, they are redirected back to the app and granted access by the web server.

At this point, CakePHP would read the contents of $_SERVER['REMOTE_USER'] to identify the user and present him or her with the correct information.

Specific questions:

• Assuming we can trust that the SSO is secure, is this approach safe and robust?
• Is it possible (or useful) to integrate this mechanism with Cake's Auth component?
• Is it Cakey to read the $_SERVER super-global directly?
• Is there a more Cake-like way of making an application SSO aware?

To clarify, I only need to know the authenticated user—I don't nee开发者_StackOverflowd (or want) to share the entire session with any other app.

Thanks!

Edit: Just to reiterate my comment below, the SSO and all the apps will be on our servers. We won't use RealID or any other external auth mechanism. So when I say "external" auth, I mean external to CakePHP but not external to our web server.

---

AFAIK, REMOTE_USER is only set when the "Authorization Required" header is set and the user authenticates using http auth.

Most single sign on services use oAuth type tokens to log users in. I don't think they will set the SERVER variable.

In either case, using http authentication isn't recommended, because it's not possible to log someone out if you notice suspicious activity. And users can't log themselves out except by shutting the browser.

I'd recommend strongly that you stick with session based authentication and authorization.