Should the user offer credential every time for a request?
I assume you mean SSO as in single sign-on.
SSO for dumb browsers uses cookie and relies on a common federation domain (eg, jur1.foo.org, jur2.foo.org, etc). A credential obtained by authenticating in one jurisdiction in the federation results in a cookie being set in the user's browser that will be sent to every jurisdiction in the federation.
In the latest release of DACS, support has been added for the affiliation of "peer federations" having different domains. Federation peering allows a user who is able to authenticate in one federation to export her credentials to another federation.
Check out the man page for dacs_auth_transfer in dacs-1.4.11.
Yes, credentials are sent with each request to identify the user making the request. Each HTTP request is independent. If no credentials are sent, the request is essentially anonymous.