By default googles SSO will bypass the 2-Step verification setting, BUT you can force google to check and challenge logins forcing any user that has set up 2-Step verification for their account.


To activate Login Challenges you must be a G-Suite admin user:

Sign into G-Suite admin at admin.google.com
Navigate to Security>Login Challenges and choose the OU you want to apply settings to in left hand list (You may want to create a new OU) > Click ‘Post-SSO verification’ and select 'Logins using SSO are subject to additional verifications (if appropriate) and 2-Step Verification (if configured)’ > Now Hit SAVE


Now allow your users to be able to enable 2-Step Verification

Navigate to Security>Basic settings > Tick ‘Allow users to turn on 2-step verification’


 
 
Now let users know how they can set up 2-Step Verification (they will need a mobile phone):
• Go to your Google account. https://myaccount.google.com
• On the left navigation panel, click Security.
• On the Signing into Google panel, click 2-Step Verification.
• Click Get started.
• Follow the steps on the screen.- We advise to use the text code service