We need to investigate how one can update the FORM authentication layer to delegate the authentication to an identity provider. Issues include:
1. authentication of the form username/password
2. authentication of an existing login from another app using SSO
3. reauthentication if the web session outlives the IDP token validity
4. propagation of the identity to other secure components.