If you have control and trust the other systems, just a unique ID that identifies the user should be sufficient.
That is, assume the single-signon has a way to identify each user, let's call it user_id. The remote system passed the user_id as a parameter of the remote call to OpenACS. Since OpenACS trusts this service (based on whatever you determine) it can peform those actions on behalf of the user_id passed in.
