Ie. it will create a temporary deadbeef123@your-domain.com email address, use that to sign up to the 3rd party web app and keep the password secret from the user.
Then, when the user returns to the site, your on-site server provides the auth details for each logon (or even better, logs in for the user and just sets the right cookies).
For some sites, it will also make sure the user is a member of the right 'team', has access to the right shared documents, has their display name matching their name in the corp database, etc.
Basically it allowed IT Admins to “hide” the password from users logging into websites with traditional user/pass login flows.