Moved to the security forum..
If I understand your requirement and my memory serves me, the start of a WYDA from a SAPGui transaction (such as SOAMANAGER) is not a logon ticket. It is a re-entry ticket to the same SID (like opening a new session or calling an internal RFC as yourself) so no authentication is required. Only difference is that it goes back via the message server and you might land on a different app server if started that way.
In the case of the user starting the WYDA directly, you can therefore configure the logon procedure independently of the SAPGui based start (meaning it won't break it) and if that scenario is portal based navigation or imbedded app in a frame, then a real SAP logon ticket issued by the portal is probably the easiest and fastest way to go.
Many customers already have SAML infrastructure in place for non-SAP applications now, so you should also first consider that before you go the logon ticket route because it means that you are not only limited to SAP.
Cheers,
Julius