Thanks everyone for the responses so far.
It definitely seems like LDAP would cover the most bases. So, it might make sense to start there and add other options progressively.
One difficulty is that we do not have any expertise in-house on any of these authentication protocols. I only know enough about LDAP to know that there are whole books about it… which I will probably have to start reading soon. 🙂 I wonder if there is enough variation between how it is used or configured at different institutions that we will run into problems making a generic enough interface in Specify to work for everyone.
John, you mentioned failover to local accounts. Do you mean accounts within the app itself, so that e.g. if the external authentication service is unavailable, it is possible to authenticate directly with some other credentials? In other words, for Specify that would mean that you could try to login with your campus username and password, but if that doesn’t work, you could use your old Specify username and password?