Hi Anna - we use OneLogin for our SSO. When it comes to mobile - our people click on the jive app, then authenticate via OneLogin.
We don't require users to be on VPN to use SSO. But we do require client certificates. Please encourage your account team to drive the request for the mobile app to use Safari View Controller instead of the embedded browser. If you have certificates provisioned to your mobile devices, this will allow authentication to work, will allow "true" SSO and keep credentials out of the app.