Hi Jack, I'll just chime in here and add to what everyone has already said:
I use two accounts for this: one account represents an application (not an end user) - call it account A. That account is used to communicate with the service (service B) - A authenticates with B for all service communication. One of those service calls is a 'user login service': app A bundles up user C's principals/credentials as the service payload and calls into B. Service B authenticates user C as a normal user authentication process. HTH! Les
