Providing single sign-on (SSO) in disjoint networks with non-overlapping authentication protocols

What is claimed is as follows: 1. A method of enabling single sign-on (SSO) access to an application executing in an enterprise, comprising: at a connector device associated with and located external to the enterprise, the connector device providing end users external to the enterprise with authorized, network-based secure access to an application without inbound open tunnels or ports to the enterprise, the application being configured for access via multiple, distinct authentication methods: during a first access to the application, and responsive to successful authentication of a user via a first authentication method, encrypting a credential associated with the successful authentication to generate an encrypted user token; storing the encrypted user token in a database; during a second, subsequent access to the application, and following a redirect that returns the user to the connector device, fetching the encrypted user token from the database; decrypting the encrypted user token to recover the credential; and performing an authentication protocol translation by using the recovered credential to authenticate the user to the application via a second authentication method non-overlapping to the first authentication method. 2. The method as described in claim 1 wherein the first authentication method is an HTML form-based authentication initiated from a client browser. 3. The method as described in claim 2 wherein the second authentication method is NTLM or Kerberos. 4. The method as described in claim 1 wherein the credential is encrypted with a private key uniquely-associated with the connector. 5. The method as described in claim 1 wherein the first authentication method also includes a second factor of authentication. 6. The method as described in claim 1 wherein the redirect is initiated from a login server operated by a service provider. 7. The method as described in claim 6 further including the login server providing an HTML login form to facilitate the authentication using the first authentication method. 8. The method as described in claim 1 further including receiving the encrypted user token. 9. The method as described in claim 8 wherein the encrypted user token is received via an HTTP header. 10. The method as described in claim 1 wherein the second authentication method includes generating a connection, and wherein the connection is maintained in a connection pool keyed to the user. 11. The method as described in claim 10 further including using the connection to manage additional requests for the user. 12. A computer program product in a non-transitory computer readable medium comprising computer program instructions executable by a hardware processor and configured as a connector device associated with and located external to an enterprise to enable single sign-on (SSO) access to an application executing in the enterprise, the computer program instructions configured to: during a first access to the application, the application being configured for access via multiple, distinct authentication methods, and responsive to successful authentication of a user via a first authentication method, encrypt a credential associated with the successful authentication to generate an encrypted user token; store the encrypted user token in a database; during a second, subsequent access to the application, and following a redirect that returns the user to the connector device, fetch the encrypted user token from the database; decrypt the encrypted user token to recover the credential; and perform an authentication protocol translation by using the recovered credential to authenticate the user to the application via a second authentication method non-overlapping to the first authentication method; the connector device providing end users external to the enterprise with authorized, network-based secure access to the application without inbound open tunnels or ports to the enterprise. 13. The computer program product as described in claim 12 wherein the first authentication method is an HTML form-based authentication initiated from a client browser, and the second authentication method is one of: NTLM, and Kerberos.