We use a reverse proxy setup. Many applications support extracting the logged in user from the HTTP headers. See this example for an explanation:
https://wiki.jenkins.io/display/JENKINS/Reverse+Proxy+Auth+Plugin
This way, OAuth or SAML or whatever auth protocol you choose needs only be supported by the reverse proxy.
So far we were able to provide SSO for every application in our extranet.
Regarding the private apps, you can already set access controls for apps, but they will still be available publicly. For the moment this is likely out of scope for Cloudron. Not sure maybe this belongs to some VPN setup for organizations with this requirement?
Maybe there is a misunderstanding. For clarification:
Every app in our setup is theoretically accessible from the public internet. If the user is not authenticated and does not have rights to access the app, no HTTP traffic is getting through to the app. This improves security. The app is accessible from the public internet, but not directly exposed to it.