SSO doesn't have to mean you delegate anything. You can run e.g. a saml identity provider on-prem with no public Internet access. The browser--being on the vpn--can reach both the identity provider and the application, and can pass along the necessary assertion even if the application cannot talk to the identity server. The application itself may or may not be on-prem as well. I worked on this exact setup for some SaaS software for banks. Our applications were in AWS and we never had any ability to reach the bank identity servers.