So your company doesn't have certain functions where someone has said "this is really critical so we'll force a sign-in even if the SSO token is already there" because that happens to me 10 times a day at my work.
I see this in situations similar to sudo where you need to make sure it is the same user that signed on when elevating privileges, vs letting in anyone who sits down at an unlocked user's terminal.
Which is silly because if you do that you're basically admitting that your SSO isn't fulfilling its promise of identifying the user. If you are having the thought, "what if the user I authed isn't the user anymore" then you should be reauthing them for any service at that point.
Almost as fun as when TSA uses logic like “we thought you were going to hijack a plane using those nail clippers, but now that we’ve made you throw them away, you can board with no further scrutiny! Crisis averted!”
Yes, this does happen. Especially for HR related matters. But that's definitely more of an exception than the rule. For most services that I use on a day-to-day basis, the experience is seamless.
Honestly I don't mind this too much as long as it's yubikey only, that literally is just reach up, tap, hit enter: 1-2 seconds if you know it's coming. If they require to reenter a password it's more like 10-30 seconds depending on if I mistype anything. That's just setting the wrong incentive to have a weak password that is easy to type.