@swiley @valleyforge it does take some overhead off but you can bounce unauthenticated sessions to the login portal (which then has first party cookie for your login) which in turn bounces again to google or whoever and then does a redirect back that says "no actually the sessions legit." it's how oauth works.

although it's smoother if you're in a kerberos/gssapi situation where you can just hand the token along so it can skip the extra steps.