What do you do when your app does not support LDAP?

I would like to abandon the ugly hack we have for Rainloop https://github.com/YunoHost-Apps/rainloop_ynh/blob/master/sources/sso/sso.php
In favor of some LDAP authentication

However, Rainloop does not have LDAP authentication yet

I have more or less understood how to “ldap_bind”, but how do you achieve SSO then, as the authentication is done without the user inputting any password?
At the moment I use the password header but it does not seem secure enough


Apps usually retrieve the user from the server variables (for instance $_SERVER['PHP_AUTH_USER'] for PHP); that allows to automatically log-in from the portal.
From my understanding, apps that combine using server variables + LDAP make no bind when redirected from the portal: if the user variable isn’t empty, they only make a search in the LDAP directory. However, these apps make a bind if you use their dedicated login page (Nextcloud, Piwigo, etc.).