On macOS, SSO comes from Single Sign On App Extension. For example Microsofts SSOe is built in to the Microsoft Company Portal app, and Okta's SSOe is built in to the Okta Verify App. Once the respective Application for the SSOe you need to use is on the device, you can deploy a configuration profile to enable SSOe. As far as how to build the configuration profile, the vendor should have documentation. I have put Microsoft's and Okta's documentation below.

Apple no longer designs macOS with Domain Binding in mind. I would not spend cycles trying to get anything involving domain binding to work, it won't end well.

Microsoft:

Direct download for the comp portal app: https://go.microsoft.com/fwlink/?linkid=853070

https://learn.microsoft.com/en-us/mem/intune/apps/apps-company-portal-macos

https://macadmins.software/

How to do the thing: https://learn.microsoft.com/en-us/mem/intune/configuration/use-enterprise-sso-plug-in-macos-with-intune?tabs=prereq-other-mdm%2Ccreate-profile-intune

Okta: 

https://apps.apple.com/us/app/okta-verify/id490179405

How to do the thing: https://help.okta.com/oie/en-us/content/topics/identity-engine/devices/config-credential-sso-ext-macos.htm

Hi AJPinto, 

So using the Single Sign-On Extension in Jamf requires a program to be downloaded and installed? So if I want to use the Kerberos Payload type for the Single SIgn-on Extension Configuration Profile, what would I need?

Apple's SSO extension is built into the OS and appears as a menu bar app. Kerberos behaves like a bind and requires on-prem access to AD. SSO is a redirect to your IDP. I thought it was an either or in terms of Kerberos or SSO but could be wrong. 

I think these were the documents I used for the setup.

https://www.apple.com/business/docs/site/Kerberos_Single_Sign_on_Extension_User_Guide.pdf
https://support.apple.com/guide/deployment/kerberos-sso-extension-depe6a1cda64/web

I suppose, what exactly are you trying to configure? The tickets (Kerberos or otherwise) need to come from the correct IPD. The tool you need to configure to generate the tickets will differ based on what IDP you are using. I may have over complicated the answer as most things have moved to OAuth2 for ticket authentication. 

If it's just Apples SSO extension that you are after which will give you Kerberos tickets, that is built in to macOS and just needs a Configuration Profile. It does not have full functionality for mobile accounts though, PW sync for example is disabled for mobile accounts. This just supports on prem AD, and not AAD.

apple.com/za/business/docs/site/Kerberos_Single_Sign_on_Extension_User_Guide.pdf

How to do the thing: HCS Technology Group - A Guide for Configuring the macOS Catalina Kerberos Single Sign-On Extension (hcsonline.com)