By default googles SSO will bypass the 2-Step verification setting, BUT you can force google to check and challenge logins forcing any user that has set up 2-Step verification for their account.


To activate Login Challenges you must be a G-Suite admin user:

Sign into G-Suite admin at admin.google.com
Navigate to Security>Authentication>Login Challenges and choose the OU you want to apply settings to in left hand list (You may want to create a new OU) > Click ‘Post-SSO verification’ and select 'Ask users for additional verifications from Google if a sign-in looks suspicious, and always apply 2-Step Verification policies (if configured)’ > Now Hit SAVE


Now allow your users to be able to enable 2-Step Verification

Navigate to Security>Basic settings > Tick ‘Allow users to turn on 2-step verification’


 
 
Now let users know how they can set up 2-Step Verification (they will need a mobile phone):
• Go to your Google account. https://myaccount.google.com
• On the left navigation panel, click Security.
• On the Signing into Google panel, click 2-Step Verification.
• Click Get started.
• Follow the steps on the screen.- We advise to use the text code service