Hi Aled,
Yes, your understanding is correct. SSO is suggested to make the organization accounts require identities to be authenticated by the on-premise system.
The following links are for your reference:
In addition, you can also logon to portal.microsoftonline.com/.../IdentityFederation.aspx to deploy the SSO according to the wizard.
If anything is unclear about the SSO, please feel free to let me know.
Thanks,
David Zhang