I've been working on similar SSO integration a while ago. Although I was integrating Orchard with CAS authentication server, but maybe my experiences on the subject can be helpful:)
This can be achieved in couple of ways. I've created a custom action filter attribute which handles the whole authentication process and helps keep things clean. The filter, after the authentication process, generates and passes an object describing
a user to the corresponding action (action has to take such parameter). Then, I created a custom AccountController in my module (with IOrchardServices and IAuthenticationService injected in the constructor) and decorated the LogOn action (as to keep
naming similar to Orchard.Users, but it's nothing but my convention) with the attribute. Inside the action body I handled the appropriate redirection/automatic user creation based on the provided user object. I checked whether user with the same name
existed in Orchard (by using content query by IOrchardServices.ContentManager) and called IAuthenticationService to log in this user. If the user didn't exist I had three options - to provision a new account (redirecting user to pre-filled with
user Id registration form), to provision the account automatically or to return an error (or something).
This, of course could be better handled by the filter too so to keep Controller clean. I think I'll do that soon.
After some time spent developing Orchard modules I can say that it's not the best-practice-like solution, although works without problems. The problem with attributes is that you can't pass objects to the constructor at runtime (so working with Autofac
container is really tricky and needs several more or less dirty workarounds:/).
If I was to write the authentication now I'd rather stick to implementing IAuthenticationService and handle all authentication logic there. It would replace the default FormsAuthenticationService. I couldn't do it this way then, because I had to allow
admin users to log on locally by Orchard.Users module.