Hi @matt.demler
First, you should have separate Auth0 tenants for dev and staging.
Second, SSO is done via a cookie in the Auth0 tenant domain (or CNAME), and so multi-tenant will NOT give you SSO.
How do you know if a user is App A only or both A and B? Are they selectively enabled for apps? Like they purchase access to App A, and maybe later also purchase access to B?
Assuming this is true, you want a single tenant, and each user should have an app_metadata field for which apps are enabled. Then have a rule that checks the application ID (client ID) and that app_metadata field and returns an Unauthorized error if the user should not have access.
This gives you SSO
John