I like Teleport. It's not an SSO implementation but if you pay Gravitational you get SAML. BLESS, the Netflix solution, relies on you being able to call a Lambda. You can SSO that as well via STS' AssumeRoleWithSAML. (But be careful, AWS SSO should be like the last SSO you implement, generally hardening IAM is super complicated, talk to me for more details. We owe y'all a bunch of dinky "here's how you do IAM" blog posts.)
EDIT: I previously incorrectly claimed that you need to pay Gravitational for Teleport SSO. That is incorrect: you only need to pay for _SAML_, specifically -- I forgot that you can GitHub auth into it, which is a form of SSO. (Though for most of our customers I think that single trust store is a core part of SSO, and GitHub isn't a good SSO by that metric, by vritue of account reuse and the fairly tenuous links between users and organizations. GitHub does a great job of modeling open source interactions, but that model falls over a bit when translated to commercial software engineering orgs.)
The open source edition of Teleport has SSO support for logging via Github [1]. The enterprise version adds enterprise SAML implementations like Okta, Auth0 and things like ADFS.
EDIT: I previously incorrectly claimed that you need to pay Gravitational for Teleport SSO. That is incorrect: you only need to pay for _SAML_, specifically -- I forgot that you can GitHub auth into it, which is a form of SSO. (Though for most of our customers I think that single trust store is a core part of SSO, and GitHub isn't a good SSO by that metric, by vritue of account reuse and the fairly tenuous links between users and organizations. GitHub does a great job of modeling open source interactions, but that model falls over a bit when translated to commercial software engineering orgs.)