I would suggest the ability to specify an authentication service by company. In this way consulting company A has it's users already in LDAP or Radius and can authenticate against a schema that is already existing and being upkept. Client company has a POP3 server, so their users that are part of consultants opengoo DB can authenticate against that server. By breaking out authentication in this manner you actually produce an app that is "single sign on" across companies an platforms. There are 5 types of auth requests that should cover 95% of the companies
1. Radius
2. LDAP
3. POP (SPOP)
4. IMAP (Imap over SSL)
5. HTTP Auth (HTTPS)
It's just a thought. I have done something similar in the past by using realms and plugins for a radius server authenticating users against a variety of outside servers (usually pop3 at that time) and then made the web app radius aware. The nice thing was that when a client company fired someone, we didn't have to be the last to know and then change user permissions. The simply couldn't log in to our site because their home site has changed/deleted the user. All the users information was still in our app - and that information could easily be migrated to a current user. IE nothing was lost.
-Thoughts
cluge