I would like to share a great news about Android Enterprise: many customers are requesting SSO as soon as we integrate Android Enterprise apps. As of August 2018 there is no native Kerberos integration in Android, as opposed to iOS. Google told us during the Android Enterprise Summit that they still have some “open” challenges with Kerberos on Android.
We have now such a product called Hypergate, which is generic, works with all EMMs and provide a secure SSO with Kerberos on Android Enterprise. As an example, you may use Chrome to access your internal apps/websites without any login.
This requires a per-App VPN solution like MobileIron Tunnel, or that the device has connectivity (TCP,UDP) in the internal network.
The solution is compatible with Basic authentication (towards the KDC) and also Certificate-based Authentication.
We would be happy to give you more information if requested.