Most of the modern single sign on (SSO) tools now have some level of integration with your on-premises Microsoft Active Directory. The way they work is to download a small piece of agent software to the Windows Server that is running the domain’s forest machine. Once this is configured and the AD users imported, the SSO provider can start assigning logins to each user.
Some of the products (such as Okta. Microsoft and Centrify) have the ability to reset AD passwords from within their own user portals, which means one less IT support call when the user forgets theirs. Others (such as OneLogin) have lengthy instructions that require careful study to get their agents up and running, or make downloading the agent more difficult. Centrify and OneLogin both offer two-way sync with AD while Okta has one-way imports from AD.