OK. So basically it is the same scenario as mine. They just use a
different client piece. A little bit like what I once set up for a
client to do SSO to ZenDesk.

In that case Zendesk comunicated with a PHP-daemon on a webserver and
the daemon talked to a small client piece on the windows PC.

To make that secure we had the PHP script send a random token to the
client piece and the client piece then wrote that same token into an
attribute on the user's DS object. The PHP script then looked for that
same token in DS and returned the user. Should be pretty hard to break.
To impersonate someone, you need to be able to grab the token and write
it to someone else's object and rights should prevent that.

This works fine for onetimers like login to a webservice, but for stuff
like squid that sends checks for each and every HTTP request at times,
you need to add caching.

- Anders