You shouldn't need Service Account for SSO itself. You can do SSO with just regular OAuth. The Apps Marketplace install whitelists your ClientID for the whole domain by the admin and the domain users should not get prompted.
Here is some code I pulled together without any library dependency - https://github.com/entaq/OAuth2Flows