Authentication and access control are well-supported on the operating system level by projects like FreeIPA and sssd, including integration with Active Directory. Users can then authenticate once, and access machines within their organization without being prompted for password again.
But how about web applications?
In this talk we will look at Apache modules that allow the single-sign on with central access control and identity services to be used for web application as well, building on top of the same bits that are already proven to work well on the OS-level, rather than reimplementing all the parts again. Multiple web projects and products have already been enhanced to take advantage of this setup so demo is more than likely. http://www.freeipa.org/page/Web_App_Authentication