Yup, enterprise-y is what I've been trying to avoid here. A lot of overhead for users that I can count on my fingers without using binary. Also, much of the big SSO systems seem to require the application to be aware of it, which is a showstopper to me: I want to protect with SSO ANY webapp ANYONE has written, even the simplest ones, without having to bother with trying to make it aware of the system. That's the whole point of setting REMOTE_USER: either the app doesn't care about identity (think status panel without any actions), or most likely it is already able to hand off authentication to the frontend http server.

Yeah if you're in the handful of users area it's way overkill. Mod_mellon doesn't quite handle REMOTE_USER but it does set a request variable (MELLON_USER IIRC) so if you have any control over the source at all you can just bodge that in pretty easily (the django bits to grok that are ~4 lines). Also ties you to apache but on the other hand lets you chain authentication to google apps which is gold if you've got a preexisting authentication system.