I wanted to do something similar with one of the applications I’m developing right now using TurboGears. I thought I would write a new identity provider, but instead went about hacking TurboGears. I noticed that TurboGears defualt soaprovider can be improved to seperate user authentication and marking a user as authenticated, hence making it reusable.
In my application’s controller I use this newly introduced method to mark the user as authenticated. I thought someone else might hit the same problem, and blogged about it.
You can download the patch from http://www.mohanjith.net/downloads/scripts/python/TurboGears/184.108.40.206/soaprovider.diff, it is created against TurboGears 220.127.116.11.