...
Shibboleth and EZProxy at MIT
"Our overall aim is to implement Shibboleth SSO as widely as possible so we can return authentication where it belongs; with central computing where credentials are managed . . ."
There is an interesting example of a diagram from Cornell here. (Look at diagram #1.)