Where does using rational $wgGroupPermissions, http/ssl, and basic/ntlm authentication fall short? Extending this out to partners / extranet doesn't seem too hard or removed as well. Especially if your doing Portals or other specific name spaces.