...
1. Separating Authentication from Authorization. The currently available set of Confluence plugins combines both of these functions. For instance, a site can use Ldap for BOTH authn and for authz (group memberships). A site can't use Kerberos for authn and Ldap for authz. A site can't use its existing Web SSO product for authn and Ldap for authz. A site can use CROWD as an SSO and Ldap for authz... but why would a campus want to deploy yet another Web SSO framework? Many campuses report developing custom plugins to handle authN, authZ, and Groups management.
2. Operating in a Hybrid environment. A growing number of campuses worldwide are reporting that they need to allow both local and remote users access to controlled spaces. They need to allow both local and Federated users to login to Confluence, and gain access to resources. This implies the need for some mechanism to persist privileges associated with remote users; perhaps the easiest approach is to dynamically create user objects within Confluence that are associated with the remote users, and associate privilege information with that user object.
...