Here are the tree options that we came up with, thanks to the help of a co-worker Martin Lansche.
3 options:
1) SPNEGO (2-4 weeks; most of the effort is having computers join the Active Directory domain)
Pros:
Full SSO between the desktop and the web applications. Only one sign-on to the user's PC and they are logged on to all the web applications!!
No extra coding (out-of-the-box functionality - in WAS v6.1)
Bi-directional
Cons:
Need all user computers to join the Active Directory domain (will the customer let us?)
2) HTTP Headers (1-2 week)
Pros:
No need for computers to join a domain
Cons:
Needs to go to Sharepoint first
Needs customization to Sharepoint
Only works one way: Sharepoint to WebSphere (users need to sign on to Sharepoint, then go to Connections)
It's a hack - not secure... not how it would be done in production
3) URL attributes (1-2 week)
Pros:
No need for computers to join a domain
Cons:
Needs to go to Sharepoint first
Needs customization to Sharepoint
Needs to develop code on the WAS side (custom TAI adapter)
Only works one way: Sharepoint to WebSphere (users need to sign on to Sharepoint, then go to Connections)
It's a hack - not secure... not how it would be done in production
We are currently leaning on option #1. Stay tuned...