We use it via an ADFS federation with AGO and roughly 700+ users of the app in the field right now. We brought this issue up about 18 months ago in monthly meetings we were doing with the ESRI Apps Dev Team and it was due to the limitation then that Web Tier authentication wasn't supported it is all token based. So, essentially, users are having to login to AGO (Windows integrated auth supported here and works) but then once the user selects the map to use must provide login information again to authenticate with your backend (ArcServers specified identity store).
Believe it was 2 AGO updates back (June/July roughly) when they provided an option within AGO to add "Trusted Servers". The intention with this is to mimic a federation and in theory when your backend is entered into here it's supposed to create the SSO experience for the user by allowing AGO to pass the credentials provided by the user to your backend and handle that authentication in the background thus eliminating the second prompt.
We plan to do some testing of this capability in the next few months. It was placed on hold while we have had to work some very extensive testing to establish the ability to use 2 separate AD forests where a 1 way trust exists (ESRI claims a non-supported scenario due to configurations within ArcServer to only read a single identity store) and we are in the last phase with just 1 workflow scenario to resolve before we can show it can/does work.
Thank you Scott, We do not have to log in again to get to a map, however, there are several prompts before logging in. My apologies, I could have worded that better. The user is first prompted to choose between going straight to AGOL or the enterprise account, then type in the domain, then choose between AGOL or Enterprise account again, then finally, there is a log in prompt. It seems pretty obvious that three of these prompts could be eliminated and I am trying to find a way to make life less difficult for our field workers.
Ahhh ok you are referring to the actual Collector app from the initialization through to the login. Sadly, I'd say right now the answer is no there isn't any better streamlined workflow. Once the user performs the initial sign on, unless they sign out of the app or kill it I can say from iOS devices they should be auto logged in.
Unfortunately, step 1 choice for enterprise is how they drive the click stream for the domain that is needed so that ESRI can point to the right organization instead of ArcGIS.com and then with the app pointing to the right domain site it's re-asking if the user wants to use an AGO side account or Enterprise account option with the final login piece.
Probably would make for a great idea forum post. Suggest something where ESRI can add a configuration option into the local device app under the existing settings option. Allow the user to choose to store the current login details as some sort of a template saved to the local device and on launch the app will load the user to the organizations domain based page (your step 3) so all they have to do is select which login AGO or Enterprise and login. Obviously ESRI would have to build in some sort of escape function as an embedded piece of the template that would allow a user to get back to the current initial page for ArcGIS.com.