I've faced similar task and I solved it this way:
1) I wrote a script authenticating user against external sign-in system and hooked it to "init" action (at this point you can modify http headers). The script checks whether the user is in the WP database and if its info is up to date and if it is not inserts or updates the user.
At the end, if authentication is successful, wp_set_current_user() is run - this sets the "user is logged in" state for WP.
2) Overrode auth_redirect() from pluggable.php to use custom script that forces login with authentication against the external system instead of wp-login.php
3) Hooked a function to "loginout" filter in order to modify login/logout URL generated by wp_loginout() so that it uses my authentication script.
And that's basically all. Wordpress DB has no user passwords, but everything else is there. All capabilities are managed by Wordpress as usual.
I also have to edit my theme substituting direct links to wp-login.php by wp_loginout()
and also modified user-edit.php and profile.php so that general user info cannot be changed (it is synchronized with the main app).
It is made as a plug-in and it seems to work; if anybody sees potential problems with my approach, I would be glad to know - I'm in no way WordPress guru.