Single Sign-on and Natural for Ajax

We have a prospect that is asking if Natural for Ajax supports Single Sign On. Do we have such a capability or know of any customers that have crafted an SSO solution?

I see the main obstacle being the authentication to Natural where the network user credentials may not be the same as the Natural user id and password. We could of course use an anonymous user for Natural but this may not be acceptable for audit or security reasons.

I have met a similar situation with an ApplinX opportunity earlier this year and maybe a similar solution could be used with NJX? Here the requirement was to use SSO when accessing an AS400 application via ApplinX web enablement. The solution proposed was to configure the application server for Kerberos, extend the ApplinX logon class to lookup AS400 credentials on LDAP for the Kerberos user (using the Kerberos principal name) and then use these AS400 credentials to logon to the target application.

Any thoughts or ideas?

Kind regards,
David Sanders