Odoo supports other authentication mechanisms than local passwords, out-of-the-box:
- LDAP authentication is provided by the built-in
auth_ldap module. It requires an external LDAP service, such as openldap or a Microsoft Active Directory. It works at the XML-RPC level as well, because it is a password-based mechanism.
- OAuth2 authentication is provided by the built-in
auth_oauth module. It requires an external OAuth2 provider, such as Google or Facebook accounts. This does not work transparently at the XML-RPC level, because it is not strictly password-based. You need to do the OAuth authentication of an HTTP session first, and then you can use the JSON-RPC API to remotely access Odoo as you would with XML-RPC.
- Odoo 8 also includes built-in support for OpenID integration, via the
auth_openid module. This requires an external OpenID service, but has been deprecated as of Odoo 9 in favor of the equivalent OAuth services. Similarly to OAuth, it is not password-based so it will not work at the XML-RPC level directly.
The Odoo API is fully accessible through either XML-RPC or JSON-RPC, these are strictly equivalent. There are RPC libraries for each in most languages, and popular languages often have dedicated Odoo RPC libraries.
You can easily achieve SSO on Odoo and your PHP application by using one of these external authentication mechanisms, as there are PHP libraries for each of them. You just need to choose a suitable provider for your case.
In addition third-party community modules exist for other authentication mechanism (look here for starters). For example, for version 7.0 there was a module that would authenticate in Odoo based on the HTTP Basic authentication (auth_from_http_basic), allowing for SSO based on the web server' pluggable authentication. I don't think it was ported for version 8, but you can perhaps contact the authors and help get it done.
