Wikimedia developer services here refers to things like Phabricator, Gerrit, Kibana, Grafana, Wikitech/Horizon etc.
Most of these currently use LDAP to share credentials, but that's not true single sign-on, authentication still happens locally. That's bad for usability (people have to type in passwords all the time) and bad for security (if any one of these services gets compromised, the attacker can harvest the credentials for all the others). It also prevents the use of shared credentials in less secure environments (such as the beta cluster), resulting in awkward workarounds.
There should be an easy way (probably some kind of Apache config that can be enabled by applying a puppet role) to put a website behind single sign-on and limit it to certain user groups.