I wanted to do something similar with one of the applications I’m developing right now using TurboGears. I thought I would write a new identity provider, but instead went about hacking TurboGears. I noticed that TurboGears defualt soaprovider can be improved to seperate user authentication and marking a user as authenticated, hence making it reusable.
In my application’s controller I use this newly introduced method to mark the user as authenticated. I thought someone else might hit the same problem, and blogged about it.
You can download the patch from http://www.mohanjith.net/downloads/scripts/python/TurboGears/22.214.171.124/soaprovider.diff, it is created against TurboGears 126.96.36.199.