In addition to what Dave said, the two features really compliment each other. If you configure both SSO and ACS integration on all of your servers you do not need to worry about synchronizing users across all servers, since the one centralized SSO master will provide authentication, and the centralized ACS server will provide authorization.

With just SSO, you will need to configure the same user list on all servers to provide the authorization piece. If ACS is not doable, you should consider scripting some method of copying the cwpass files from the master server to all of the slaves.

Let me make sure I'm not confused here:

You're suggesting:

"We strongly caution against running ACS on CiscoWorks for resource and security reasons."

and SSO and ACS do not have to live together.

So it sounds like I leave ACS out of the picture, implement SSO. If Implementing SSO however, I will need to add the users to each server or find a way to copy them between servers.

Am I even close here?

Thnk very much for you guys' input as I know you guys know this stuff.

You are correct on all counts. SSO only takes care of centralizing authentication. Without ACS integration, authorization will be left up to the local user database (i.e. cwpass).

thnks for the input.