On the project where I’m working (staged migration to O365) the costumer asked me about secure authentication for ActiveSync devices (iPhone/iPAD) and computers (outlook 2010 SP2). I have implemented ADFS 3.0.
If you use Office 2010, the first time you configure Outlook it promt for credentials and it saves this on the Windows Credentials Manager. After, Outlook go to autenticate to Office 365 using Basic Authentication and is Office 365 who go after to ADFS.
With Outlook 2013/2016 Outlook use Windows Authentication. It´s a real SSO because doesn’t save your user credentials on any place and it is who goes to ADFS and not O365. It is using Modern Authentication.
Summarizing: Use Outlook 2013 or 2016 to have a real Single Sign On.
Note 1: Outlook 2013 by default uses Basic Auth, you need to activate Modern Auth.
Note 2: iOS built in email client uses Basic Auth. Install and use Outlook 2016 App.