Staff SSO can be done via SSO Adapter which is already built into Ghost code. The adapter can be deployed externally into‘content’ folder, hence would not be impacted by Ghost upgrades (I am
assuming Ghost upgrades do not touch content folder) A default one (which does nothing) is already provided under core. Although I should add only request object is provided to handler, so SSO must be done without modifying the response object.
As for SSO for members, at this point it looks like the only way to do it is by going into core code and intercepting the request using Express middleware as there is no hook built (or I have not found one) Then performing SSO functions to figure out if someone is trying to access using an Identity Provider and setting the user to that is all you need. As this requires a bit of core code update, one should be careful to add it back after a Ghost upgrade (most functionality can be kept under content and imported from core code to limit this amount)
For both cases, I have OAuth2 working (doing regular OAuth2 dance with userinfo API call, have not tried OIDC) which I did for a product I am building.