Fixed on latest themes.
I am guessing on all of this, never done it before
It sounds as if you want to override the local login strategy rather than provide an SSO service.
To do this you need to provide a local login strategy to passportjs during that hook, just as the core does here:
Instead of controllers.authentication.localLogin, use your own callback function. It is passed (req, username, password, next) just as it is here.
You would essentially the same thing that function does, but instead of using the local user info, use your own database to compare the username/passwords too.
If the login is successful, you need to create a local user and attach an ID from your database entry to the user's local database entry, so you can look that up when the user logs in again.
Also in the admin panel, change the registration type to none, so that users are required to have an account at your existing db.