It would be nice if I could authenticate against the authentication facilities of the webserver, e.g. Kerberos/GSSAPI, which manifests in the application via the `REMOTE_USER` environment variable.
For Redmine I protected the `/login-gssapi` URL with mod-auth-gssapi within the webserver. `/login-gssapi` is then setup within Redmine as an alternate route to `/login`, so that I can use a hack/live-patch and a custom authentication provider to adjust the authentication process to also check for the `REMOTE_USER` environment variable. I hope that this is much simpler in Phabricator.