If you plan on just using a separate Mx App, I'm not quite sure how you'd keep the session alive for a user if they don't directly connect to the app, and if the session gets killed on your login app your user might have to re-authenticate when switching apps.
Personally I think active directory is the easiest and most straight-forward option, but if you don't have the possibility of using it I would suggest OAuth against a different service.
We have our Mx CRM app on OAuth against Office365, so we get people to authenticate with the company's email provider - this way we don't need to cache any data or store cookies, Office365 does that for us, and on attempting to log in a second time with out app the user gets redirected again to Office365 where their cookie takes effect if it's still active or they're prompted to log in again. Should work in between multiple apps as well since the IdP's cookie would be available on the browser regardless of the source SP.
Hope this helps
We used the sollution provided here: https://www.mattkdaniels.com/blogs/walkthrough-enabling-autologin-functionality-within-your-mendix-app
The first app calls a webservice of the second app to get the token. Then use the deeplink module to goto a page in the second application that logs the user automaticly in. Works perfectly. Assumption is that the user has the same accountname in all the applications.
[EDIT] Found a new blogpost about how to do this: https://medium.com/mendix/mendix-autologin-with-deeplink-1c8fa92873a8
implement an identity provider and connect your apps to the identity provider. Don't try to build this within Mendix, there are lots of solutions available.
The AppCloudServices module is meant for this type of situations (assuming your customer runs apps on the Mendix cloud). Keep in mind, it currently only supports authentication with a Mendix account, not external identity providers.
If you really want to do this (as opposed to buying an identity provider), I think the easiest way is to combine the JWT module and the OAuth module, if the latter supports authentication through JWT (I believe Erwin 't Hoen said it did, but I can't find his post). Otherwise, it shouldn't be too hard to write your own authentication logic based on a JWT.