Hi Zbynek --
The LTI launch is secured in two ways: the request itself is encrypted via SSL (so make sure that your tool provider is always served using HTTPS), and the contents of the launch are signed by Canvas using the tool provider's key+secret. This means that nobody should be able to read the encrypted request during transit, and by checking the signature, you can verify that the contents of the request were not changed in transit.
These two security mechanisms mean that your tool can trust the user identity data that's provided in the request, and you don't need to present the user with another login form. Typically the tool provider will use the name/email/unique ID found in the request to look up or create a user account, and then create a session. The details really depend on the particular needs of the tool, the framework you're using, etc.
Hopefully this is helpful; let me know if you have questions!
--Colin
