I use openAM at work and we do authentication at reverse proxy level, using lua on nginx. To integrate with discourse was just a matter of creating one more nginx endpoint that responds to discourse SSO requests, we used lua too, so everything openAM is handled at nginx.