It doesn't specifically demand it, but (1) SSO is the simplest way to knock out a huge swath of control objectives, and (2) once you attest to a control like SSO, it's extremely annoying to pull that back. If you hire security/compliance/engineering management to take you through SOC2 and they don't set up and attest to SSO, they're bad at their job.