From your question it is not clear if you are required to create a custom servlet or you just need to make login based on a request parameter. The main difference is that a custom servlet is not intercepted by Seam and you cannot use components unless you manually start a seam lifecycle (as noted by Trind, you need to use LifeCycle.beginCall() and LifeCycle.endCall() to be able to use Seam components when calling from outside SeamFilter). Other than that, the two solutions work similarly.

Create a component that will handle authentication:

@Name("myAuthenticator")
public class MyAuthenticator implements Serializable {

    // Seam's identity component
    @In private transient Identity identity;

    // When logged in, the user needs to have some roles, usually
    // you assign these dynamically based on user name, type, etc., here
    // I just initialize it to a fixed list of roles
    ArrayList<String> roles = new ArrayList<String>(Arrays.toList(
            new String[] { "base", "admin" }));

    // Access key (getters and setters omitted but are necessary)
    private String accessKey;

    public String doAuth() {
        // Check accessKey validity (against an SSO service or 
        // in your DB or whatever), here we do a trivial check.
        boolean userCanAccess = "ADMINKEY".equals(accessKey);

        if (userCanAccess) {
            identity.acceptExternallyAuthenticatedPrincipal(
                    new SimplePrincipal("username"));

            // Assign user roles
            for (String role : roles) {
                identity.addRole(role);
            }
            return "ok";
        }
        return "ko";
    }
}

Now create a login page descriptor that will handle login via the parameter (say externalLogin.page.xml, you don’t need to create an .xhtml page for this):

<page>
    <!-- this sets the accessKey variable with the query parameter -->
    <param name="accessKey" value="#{myAuthenticator.accessKey}" />

    <!-- this invokes our authentication action -->
    <action execute="#{myAuthenticator.doAuth}" />

    <!-- navigation rules, these determine what to do if auth is ok or fails -->
    <navigation from-action="#{myAuthenticator.doAuth}">
        <rule if-outcome="ko">
            <redirect view-id="/error.xhtml">
                <message severity="ERROR">Invalid Authentication Key</message>
            </redirect>
        </rule>
        <rule if-outcome="ok">
            <redirect view-id="/home.xhtml">
                <message severity="INFO">Welcome!</message>
            </redirect>
        </rule>
    </navigation>
</page>

Now to perform login you can use that page, like so:

http://localhost:8080/yourapp/externalLogin.seam?accessKey=XXXXXXXX

If you need to use a custom servlet (very unlikely, but nevertheless), the above component does not change, just call it from within the servlet like this:

public void doGet(HttpServletRequest req, HttpServletResponse resp) throws IOException {
    // Start Seam lifecycle
    LifeCycle.beginCall();
    // Get an instance of the authenticator component from Seam
    MyAuthenticator auth = Component.getInstance("myAuthenticator");
    // Set access key in component and perform auth
    auth.setAccessKey(req.getParameter("accessKey"));
    String result = auth.doAuth();
    // End Seam lifecycle, no more component calls are needed.
    LifeCycle.endCall();

    // Do something here with the result
    if ("ok".equals(result)) {
        resp.sendRedirect(...);
    }
}