No solution yet, still a work in progress. I opened a support ticket with Sitefinity and their response was roughly "haven't tried that yet.. might work.. let us know how it goes".
After further research, I'm thinking setting up a custom token issuer/STS may not be that difficult (I am going to try and use open source Techktecture IdentityServer
. The bigger issue seems to be the Membership provider.
I was hoping to use two membership providers, the LDAP provider for internal users (who would auth off the Sitefinity provided STS ) and a SQL Membership provider for external users (who would auth off a custom STS/possibly IdentityServer). I'm not sure if this can be done with one site though, since the relying party config in sitefinity settings has a single parameter to supply the membership provider. Since I only have one site (and thus one relying party), I'm not sure if I can use two membership providers with one site.
The login form component in Sitefinity does have a parameter to supply the membership provider though, so that may be an avenue to get things working.
As I figure things out, I will post back.