Ah, ok.
So in that case the 'authentication module' is some code on your webserver that handled the REST API with the QPS. We worked to this spec (https://help.qlik.com/sense/2.1/en-US/developer/#../Subsystems/ProxyServiceAPI/Content/ProxyServiceA...). EDIT: this is the part where QPS requests the userID from the session cookie and compare the returned user ID to QlikSenses users. NOTE, you'll be using a virtual proxy for this and the prefix = the user directory.
Reading the doc you mentioned again, I would say that the 'identity provider' can be considered to be your website. You will have set up a UDC that looks at the website users and pulled them across under a specific user directory. When someone logs into your platform and is given a session ID in a cookie and then navigates to the object in question (<qs_url>/<directory>/<single_object_guid>), then the QPS sends a request to your 'authentication module, (aka the code you've written to handle the above session module API). As mentioned above, your code will take the session ID sent by the QPS and return a GET request with the userID, if you get a null response, then you can send an ADD request. As long as the userID is valid and has a valid user or login token, QlikSense will grant a new session to that user.
At least, this is how we're doing it. I think there is more than one way to do this solution in QlikSense.
Dave
