The SSO mechanism works great -- but it's horribly insecure if the user is on a public WiFi. It looks like I can set it to HTTPS but the user has to ignore the SSL cert error.
I also think the token should only work once. Or at least that could be an option. I guess I could accomplish this with a very short expiration date but expiring after user would provide a little more security.