Share can be configured to use some kind of SSO remote-user header (commonly X-Alfresco-Remote-User or SsoUserHeader) and Alfresco set to use External auth first in the chain.
However, this effectively executes x2 requests more than is needed and also is stateful when it does not need to be.
This is because the SSOAuthenticationFilter uses the same Session based challenge/response code path for remote-user as it does for NTLM/Kerberos etc. This should be avoided as it means the /touch API is called before each and every request to the repo - hugely increasing the traffic between the web-tier and the repo-tier.
The fix is to avoid calling /touch more than once per Share session for a Share user when the SSO remote-user header config is used and also to allow Remote configuration from Share that uses the stateless /service endpoint instead of the Session based /wcservice endpoint.