It really depends what you exactly means by single sign-on and what you can have or already have in your organization.
For example if all subwikis share the same main domain (wiki1.mydomain.com, wiki2.mydomain.com, etc.) then you don’t need to authenticate again when you move from one wiki to another. Just need to indicate
mydomain.com in xwiki.cfg
If you are in a Microsoft environment you could use something like NTLM, Kerberos, etc. and configure the LDAP authenticator trust feature (
xwiki.authentication.ldap.remoteUser* properties). In such a setup user never enter any credentials and XWiki just do what it’s told and the decision related to who is allowed to access which domain is in the system which actually take care of the authentication (for example https://github.com/Waffle/waffle).
The same trust feature can also be used with various other SSO systems as long as you find a module which takes care of the actual authentication at application server or proxy level.
Of course you could also use the OpenID Connect extension indeed. One current limitation is that the OpenID Connect authenticator currently does not automatically check if the client is already authenticated on the identity provider so when you come back after a while (i.e. when your session is lost) you have to click login (which go to the provider and come back right away but still annoying). No real technical blocker, just did not had time to work on that yet.