I think you're on the right track.
For my IAP config, I have auth-text "" configured, which works perfect. The external captive portal is handling authentication, really, so if the person is not authenticated, they'd end up back on the captive portal login page. We're doing a sponsored access setup, where someone gets an email with each access request and approves or rejects the access by clicking on a certain link, which sends a URL with a token and an "approve" or "reject" back to the captive portal provider, and the provider, if approved, sends a reply message back to the controller (which is empty, I presume, for auth-text) and the person is redirected to their original URL, or, if rejected, the provider sends nothing back to the controller and redirects the user back to the captive portal login page.
So, what I'm hoping to figure out, is whether I can replicate that auth-text "" command in the controller somehow.... I don't think I'll be able to do anything from the form submit side of things, as the captive portal provider is handling that, and I don't think I can make too many changes to what the provider sends back to the controller. Could I use a custom server rule under my server group to assign the role somehow?