So there is some conflation of what is SSO (in the community, and amongst PTC documentation). SSO in the context of PTC tools really can be described in two parts - Authentication (SAML) and Authorization (Oauth Delegated Authorization). The idea is that a person uses one set of credentials to access all of the enterprise (and sometimes out of enterprise) applications. This is where you ask "if user uses the AD credentials to login to Windchill , how exactly SSO is helpful?" The answer may be - you don't. OOTB (OK I know there will be replies from folks creatively commanding Apache to do creative authentication) PTC only supports basic authentication, forms based authentication, and SAML (using Shibboleth). If you need anything other than Basic authentication (username/password) then you will likely have to configure Windchill for SSO and redirect Windchill to a SAML Identity Provider (IdP) - either enterprise or by setting up PingFederate or Shibboleth IdP. The other option, would be to customize your Apache and use Apache modules to accomplish this. Additionally, SSO does not mean you can't use Username/Password authentication. SSO merely allows you to standardize how applications authenticate across the enterprise.
The true benefit of SSO however is when you have other enterprise applications that can use a single login process at the IdP (authentication) and talk to each other on behalf of the user (Oauth- Delegated Authorization). Most folks have used REAL SSO in their daily lives and may have not realized that is what it was. Ever use Google or Facebook credentials to log into another website? That's Single Sign On!
As for security, it was previously mentioned that this is a way to implement MFA - which adds to authentication security. Additionally, using SSO, your SAML and Oauth providers can be used to enforce enterprise policies (Session timeout, reauthentication policies, domains that can use it, connecting to other authentication sources for partners etc). This gives you limitless opportunities to standardize how employees and partners across the enterprise can access your enterprise tools - SECURELY!
Maybe your enterprise isn't ready for SSO, or doesn't fully support SAML / Oauth in a way that works with PTC tools? If that's the case, do you plan on integrating some of the PTC tools together (Windchill, Codebeamer, Integrity, Vuforia, Thingworx etc.)? Then you will need to configure SSO in at least your Windchill environment.
Don't take the decision to use SSO lightly. If you don't have a need to connect applications, and your current authentication methods are compliant with your companies policies - then Directory Service / LDAP auth is probably fine, but understand the limitations you will have.
Note: Oauth has both an Authentication protocol (OIDC) and Delegated Authorization. I didn't delve much into OIDC here, but that may be an option apart from SAML for just authentication. That being said, if your enterprise has just OIDC and not delegated authorization configured, you can't do Oauth between PTC tools.
