[SEJeff]

HN won't let me respond to your last comment, but I think that's a reasonable plan. Using LDAP directly over the internet in general sounds like a bit of a risky proposition. Perhaps do both that and SAML, then you make everyone happy. Again, good luck, I hope I was able to help you firm up your ideas.

[traxtech]

I digged some docs, I think I'll do LDAP+web for user self-servicing+SAML with Shibboleth+maybe OpenID. That will complicate the automated customer setup, but it'll cover many use cases.

Thanks for the help!