Also, SSO (as you mentioned) usually implies that I only have to login once (presumably to my workstation) and then from there on, I don't need to sign-in anywhere.

OpenID of course doesn't solve that problem. For example, if I use OpenID to sign in to StackOverflow, it doesn't mean I don't need to sign in to another website again using the same openID.

It took me a while to understand OpenID (so many providers!) but I really like the concept. Tie it in with Gravatar and rewriting your profile is much more painless - perhaps one or two fields.

The only issues are that you have to trust your OpenID provider - but that's not really what I'd call a problem, more like common sense.

Edit: People having problems with OpenID providers should consider setting up a new one. My provider is myopenid.com and I've had no problems. You can setup multiple personas (like profiles) so I have one for blog comments, one for technology sites like this.

As for having a new SO profile Jeff said something about being able to change your OpenID without losing your profile stats in the future.

Well.. I'd have liked a simple login-pwd combo (that I'd breeze thru with Passwordmaker.org). However being a developer, I can understand that they didnt want to reinvent the login wheel again...

OpenID:

I enter my blog url => Google sign in => I'm in.

It's an extra level.. but it's OK.

The best answer on can someone briefly explain Single sign on? i want to use openid as SSO explains well how OpenID and SSO are different:

Single-sign-on is about logging on in one place and having that authenticate you at other locations automatically. OpenID is about delegating authentication to an OpenID provider so you can effectively log on to multiple sites with the one set of credentials.

The same post also gives an excellent answer to the original question:

You could use OpenID as your authentication scheme for SSO but that's incidental.

I think OpenID is far too confusing and clunky to force on any user, and I'm not even convinced it's solving an authentic problem. Having to register on each site I use has never struck me as a major issue. Particularly as it doesn't especially solve that problem; when I linked my OpenID to StackOverflow I had to fill out extra details anyway. It might as well have had a regular registration process for all the difference it makes.

I'm pretty ambivalent on OpenID. One the one hand, it addresses the 'identity provider discovery problem' (how the relying party site figures out where to send the user to authenticate). On the other hand, URLs are tremendously clunky to the average user.

I see OpenID as it currently stands as being a useful stop on the road to a solution for Web identity, but certainly not the ultimate destination.

Specifically addressing your intranet question, OpenID is probably not the right answer. As I mentioned above, OpenID buys you the ability to locate the identity provider, at the cost of typing in that URL at every relying party. If you're going to be authenticating all your users at some internal identity provider, and only accepting users from that identity provider, OpenID really doesn't gain you much.

I would look at a system such as CAS or OpenSSO, either of which will redirect users to the login page without any need to enter a URL. I recently blogged about a company that rolled out OpenSSO to 40 intranet applications for 3000 users in just 4 months, with apps on IIS 6.0, Apache, JBoss and Tomcat.