I won't pretend to be an uberexpert but I do day-to-day admin/troubleshooting of our Shibboleth Identity Provider (the login page that then provides the token to Shibboleth-enabled webapps / resources).
We use the LDAP authentication when logging in to the shibboleth page, which then sets up the token our resources uses (moodle currently uses LDAP authentication). So in theory, use shibboleth login to moodle should setup the moodle login session so SSO to mahara would still work.
I wasn't able to setup the IdP entirely on my own and don't know enough to setup another one, so I'm not able to setup a test rig to prove this.
What we are looking at doing when we go Active Directory for PCs (next summer the last I heard) is setting it up something called Kerberos. What this means (in as English as I can get) is:
- user logins to PC using the AD system
- Kerberos automatically sets up a token, which can be used as Single Sign On
- This token is passed to Shibboleth login page the first time it's called
- Shibboleth then lets users access anything they have rights to (and our staff portal, a homebrew job, could be adapted to accept shibboleth logins
So true single signon seems achievable.