If a user is logged in - then with every click - you have to confirm the credentials. Thats either with a cookie session or a token (url or form field) or in the http header. After you have confirmed the user - then you let them in to your class and methods.
If you have to redirect then you set the cookie session - and then redirect. The controller you redirect to will be able to read the session cookie. But usually you are going to redirect to kick someone out because their credential did not pass.
Try and set up your diagrams based on the type of user and what they can do - User, Admin, Owner are types of users. And then - what are the users acting on. Some Users maybe able to create something and update but not delete. So if define the roles, you immediately separate out the security concerns.
Each role gets at least one controller - so all the methods in the class have the same level of validation. You are not mixing methods for simple users Versus methods for a super admin. Let the needs of the specific user define what methods are in the class.
==== edit
oh now you mention single sign on? :-)
This might be of interest: Codeigniter oauth 2 https://github.com/philsturgeon/codeigniter-oauth2
handles: Facebook, Foursquare, GitHub, Google, PayPal, Instagram, Soundcloud, Windows Live, YouTube
