“AP SSO” doesn’t really make sense, since AP is just about transport (POST to inbox).
Look instead to OpenID Connect (generic identity provider, IdP) or IndieAuth (identifying as a URL) or RelMeAuth (like IndieAuth, but using a linked identity with OpenID Connect)