wrongecho
I'm sure it's been explained elsewhere, but I am a bit perplexed as to why it cannot be done. I would think a field with the value of SSO or internal in the user table for the techs/admin/staff could help ITFlow decide how to authenticate the tech/admin/staff person. If SSO, then authenticate via SSO. If internal, authenticate the way it is now. You could still use ITFlow to assign permissions in the app, or do it via groups from the SSO provider.
If I were making the changes, I'd have a generic User object, and then an InternalUser and SSOUser object that can feed into the generic User object. (This sounds right in my head, but will probably be confusing to read). Maybe this will help clarify it:
User Object would have:
1. userId
2. userName
3. isInternal (boolean, yes? do internal auth, no? doSSO auth)
4. accessLvl (int, based on the toggle switches that are selected in the current permissions structure)
5. sessionCookie (id of cookie set that stores this object)
InternalUser
// All the current internal user stuff
SSOUser
// All the SSO stuff that would be needed.
Have both of those classes/objects extend the User object/class.
That's my two cents. I also haven't done any coding in almost a decade (except little fixes to things I've downloaded where someone made a type-o), so there's that. I also don't really know the models you're using for staff/admin user objects, so maybe it really can't be done. Just throwing it all out there.