I'll try to look at this code when I can come up for air from the Sloan upgrade.
Two quick thoughts without having looked at the code:
a) This sounds like it could be implemented as an external authentication method in acs-authentication, if it isn't already.
b) Below a slightly more complicated variant that I believe is more secure because no secrets are ever passed. Downside is it's a bit more complex. I've implemented it a couple of times and its not too bad.
i) User logs in to campus network
ii) Campus network generates a unique but otherwise random string, saves it plus the user id plus a timestamp and redirects user to OACS with the random string as a URL argument.
iii) OACS issues a backend GET request to campus network with the random string. Campus network maps random string to user id and timestamp. If everything checks out, campus network returns user id.
iv) OACS maps campus user id to local user id, and logs user in.
