Normal applications are usually protected by authentication modules or plugins. Like warships they protect the application against hostile intruders and regulate who is allowed to get in. In Ruby on Rails one would use RestfulAuthentication or AuthLogic for this purpose. They are powerful and easy to configure, and they provide enough protection for a whole application. Once they are adapted to the application and are able to communicate with it, they work fine.

Big Single Sign-On (SSO) Servers are different. Instead of adapting them to your application, you must adapt your application to them. If normal authentication plugins are like warships, then Single Sign-On (SSO) Servers like Shibboleth and OpenAM are like aircraft-carriers of authentication. They are very powerful, and can protect multiple applications, but they are also very huge, heavy and expensive, because they are complicated to configure and to maintain. They are accompanied by multiple other units, for instance web policy agents (which correspond to airplanes). They operate with highest security measures like SAML. They are powerful weapons once they are configured, delivered and deployed. Unfortunately, it often takes a while until they are ready.

(The picture is from Wikipedia and shows the USS Nimitz)