Open ID as internal authentication mechanism

One of my requirements is to implement single sign-on for a set of sites. There is no need to support Open ID as usual nor become Open ID provider. However, I think about using Open ID internally. My questions are:

If my Open ID provider is limited to a trusted list of domains authentication experience will be transparent to users (except few redirects to the provider sub domain and back and bit different forms design)?
Since the provider is not public (a list of domains to check redirects against) there will be no new attack surface introduced?
If one of the sites has a desktop application should the application talk to the provider directly or via a facade of the site?

Found similar question which is useful but does not really answers mine.

Solution

1) Yes, the experience can be similar, but not seamless. For example, you might not be able to have username/password login box on the site.

2) The provider has to be accessible by the client (not just Relaying Party). So it depends on whether your clients are internal or internet.

3) It really depends on whether the application can do OpenID. Also, see (1), can the application handle opening up of the provider webpage?