Single-sign-on (SSO) is a critical component in large enterprise architectures, either from security prospective or usability of systems. There are many different approaches to implement SSO functionality, the most common is the Windows domain authentication based approach, but that has many limitations while it is still plausible and useful for many of the companies. The limitations we should highlight are the platform limitations (desktops are fine, other devices are so limited) and extendibility (multi-factor, user profile data access). All the steps you will read are the summary of a living project executed in a large company, it was not only a l'art pour l'art activity of a boing architect.
This article describes an alternative solution, using OpenID Connect protocol, utilising Windows authentication, supporting different platforms and user channels, handling multi-factor authentication and so.