If customer sets Device settings > Sign-in screen > Never show user names and photos policy then I believe they'll always be pushed through SSO flow. If they are offline or logged in and unlocking the device it will just require the offline password. Would this meet their need?

Start for all options 

david has been thinking about this. 

+1 to Comment 1. A little known fact about the online flow when the devices loses internet is that it will show a fake Google sign in screen. If the user types in their email address and their offline password it will let the users in without doing online auth. It will be a bit strange for a SAML user since the fake screen looks like GAIA and not like their IdP, but it should cover their bases.

That said, what's not a high timeout? 1 day? The original worry was that we want to protect the user experience with the pods screen and we don't want admins to deprive users of an offline experience by setting this to 0 days. 3 days was considered a reasonable compromise. 

Though per comments #1 and #4, this can be easily worked around by using an existing policy.

+ltong, sdavern fyi

It feels like we have a workable solution that's outlined in c#1 and discussed with me a while back (thanks Jay!).

I've shared this with the partner previously and at this stage have not had feedback that this isn't addressing their use case.

Need to revisit this.
The ask is now not to force SSO flow with every sign in when online as title suggests, but instead to have lower frequency options in CPanel e.g. 1, 3, 5 hours.

Adding some context:
- The Azure AD user portal is providing access to employee apps.
- When the Azure AD timeout value is exceeded, or the users access changes (internal to external or vice versa) they have to re-authenticate with the site by design, to gain access to any of the apps it provides. 
- Chromebooks continue to provide access to GApps regardless which is undesired from a corporate data security perspective.
- Forcing SSO flow every sign in with "never show user names and photos" is overkill and additional work for the user.

Essentially bringing the Chrome SSO user policy timer down to less than the Azure AD timeout aligns Chrome device access, GApps access and Azure AD apps access, so that the SSO flow is followed only when necessary (timeout, network change...).
 
This provides consistency, instead of having users signed into Chrome device and GApps, but not Azure AD and all the apps Azure is providing access to.

Please use Hotlist-Enterprise, not Enterprise-Hotlist.