mu-login-consolidate.php

<?php

/**
 * Plugin Name: Multisite Login Consolidation
 * Author: georgestephanis
 * License: GPLv2+
 * Requires PHP: 7
 * Network: true
 */

add_action( 'login_init', function() {
	if ( ! is_multisite() ) {
		return;
	}
	if ( ! is_main_site() ) {
		switch_to_blog( get_main_site_id() );
		wp_safe_redirect( wp_login_url( $_REQUEST['redirect_to'] ?? null ) );
		exit;
	}
} );

The purpose of this is to redirect all logins for the multisite installation to the main site for the network in question.

This is for cases where the main site's login page may offer a SSO system of some sort -- and to avoid confusion and inconsistencies of other subsite login pages that don't offer that option.

This is a good start, but I have a hunch that it will need a bit more work.

• There isn't a way to make sure that the $_REQUEST variables are carried over, so action and customize-login may not work
• interim-login may not work, so the time-out pop-up modal thing may redirect in a weird way
• I think you may lose your actual redirect-to which means that smart redirects won't work (unless you add them back with the login_redirect filter)
• Non default $action's (like confirm_admin_email, lostpassword, retrievepassword, etc...) may not work

Here is what the WordPress.org SSO has morphed into over time. It's a little bit beastly, and depends upon the possible TLDs being known and predefined, which might not always be possible, and probably could/should be a wildcard with verification elsewhere. By this I mean that the various multi-site/network domains are limited for WordPress.org, but in an open-world installation (like WordPress.com) something else would need to happen.