Hi,
you want to :
- host the logon page on a external server with "external logon page"
- authenticate user on AD
- allow user to browse joomla with SSO "SSO - Forms Client Initiated"
Are you authenticated on AD? if yes, the external logon page is providing username and password in session.logon.last.username and session.logon.last.password variables.
to troubleshoot, can you add a message box before allow with message:
Logon Username is: %{session.logon.last.username}
SSO Username is: %{session.so.token.last.username}
It will show you ssl credential mapping result (Logon username and SSO username must be the same)
If all is OK until here, now you can search how to configure SSO with joomla. SSO is working with the SSO variables and the use of external logon page is not the cause.
Using "SSO - Forms Client Initiated" is a big challenge. Most of times, it is easier to change back end server authentication instead of configuring "SSO - Forms Client Initiated".
If you look at "SSO - Forms Client Initiated" behavior, it is not the best SSO method as it insert javascript in server response forcing the browser to POST authentication form with fake credentials, inspect next request and replace fake credentials with right ones.
I had some issues with this SSO method to authenticate to Exchange 2013 (I followed the deployment guide)
there are some joomla plugins to support Basic or Kerberos authentication.