We do this with an auth plugin. We have a single sign-on system which the user logs into. If they go to Moodle once they are logged in, the auth plugin checks that their SSO cookie is valid (by calling back to the SSO system via a web service), creates them an account if they dont have one, and logs them in to Moodle.
We use the before_http_headers callback to run code at the start of each page which lets us check if they're logged in.