From the Apps Marketplace
An application listed in the Google Apps Marketplace comprises a number of extensions. These extensions can include universal navigation links and OpenID realms. If an application specifies an OpenID realm extension and a user logs in to the application via a URL that matches the specified realm, then the user is signed in via Single Sign-On using his Google Apps credentials and does not see the traditional OpenID authorization screen.
When a user logs in via this method, the web site has access to information, including name and email address, about that user.
To see which OpenID realms are specified by an application, open that application's Settings page in the Google Admin console.
Google Apps for Work and Education: Regardless of whether you have enabled or disabled OpenID for your domain (Dashboard > Security > Advanced settings in the Admin console), if an application identifies OpenID realms, then your users can sign in to the application via those realms. In this case, the whitelisting of the realm overrides the OpenID settings in the Admin console, and the realm is whitelisted under all circumstances.
From the Admin console
An application listed in the Google Apps Marketplace in the Admin console can access specific data granted at install via OAuth2. With that access, an application may automatically sign in users if they navigate via the Universal Navigation URL or browse to the app directly. In either case, the application will be able to identify a user with their Google ID and/or domain email, which enables the application to access additional profile data like Profile Picture and any data access granted by the admin and/or user.
There are certain types of applications designed for complex administered workflows, such as synchronization of identity systems, that may require the ability to act on the behalf or access data of any user in the domain. These applications might still implement SSO but note they provide access to the application with every users data that was granted.
Using a single Identity and Access Management (IAM) service
An identity management access (IAM) service provides administrators with a single place to manage all users, cloud services and devices. This makes it easier to move to cloud services that are not available in Google Apps Marketplace and provides users with a unified sign-on across all their enterprise cloud applications. Using Security Assertion Markup Language (SAML), a user can sign in to enterprise cloud applications via Single Sign-On using their Google Apps credentials. Learn more.
To configure an Identity Provider (IdP) and a Service Provider (SP) select Enable SSO with an existing cloud app. A sub window opens with several enterprise cloud applications. These applications have preconfigured settings which will automatically define the Identity Provider (IdP), the Service Provider (SP), the application name, description, and logo.
To create a totally new SAML configuration, click the Custom App button.
Using the Identity Provider Information window, add the Single Sign-On URL and the Entity ID URL and download the Identity Provider (IdP) certificate and the IdP metadata.
In the General Information window, add an application name, description, and logo.
Using the Service Provider Information window, add an ACS URL, the Entity ID, and a start URL. All of this information will be provided by the Service Provider, who is the creator of the enterprise cloud application you are configuring for Single Sign-On.