Frontend web dev here with no experience with SSO so bear with me. Keen for a high-level recommendation on the following as I can appreciate it may vary.

We've got a client setting up SSO to login to our Portal and I'm trying to understanding how I can safely call their webservices for user info from our domain via AJAX. Looking at their services they're asking for a User ID and Password, and they mentioned they could pass these via http - I dont how this would work along side SSO (as I have no experience in SSO) and it doesnt seem secure either!

How do you guys normally go about this?

Thanks in advance!

UPDATE -Maybe the simple solution is to get the client to change the web service to use an encrypted version of the user password so they can pass that safely via http, and I turn store that in a session cookie when they first land our site?