Keeping track of anonymous users sessions

Continuing the discussion from Autentication against Windows Identity Foundation:

I found an alternate way to work on this: according to the documentation my customer provided, there's a legacy system that can take care of the process; all I have to do is provide a security token and a URL to visit if the authentication succeeds. The legacy system will return the security token so I can check it.

At this point I can consider the user to be authenticated and I can use Plone standard session tracking mechanism as described in plone.session.

I need to use that information to allow access to forms used to construct queries for other systems using web services.

Does anybody here has worked on a similar solution? Do you have some sample code I can study?

Plone Foundation Code of Conduct