this is a mixture of SLO and SSO - the single login aspects are common and can be configured in a number of ways, they will rely on the LDAP protocol, as such your linux clients will be inside your private network and be configured to send authentication requests to a domain controller - this covers single login, there are many resources that cover deploying, configuring and managing this kind of setup.
the second scenario covers single sign on, authentication happens in your domain and authorisation happens in the other, this is achieved by installing an identity provider or subscribing to an online service SAS offering that provides support for single sign on protocols.
your question mentions active directory federation services, if you have this on domain then you can support these protocols: security Assertion Markup Language (SAML) Windows Identity Federation (WIF) lightweight directory access protocol (LDAP) OpenIDConnect (OIDC). you can integrate kerberos ticketing and achieve true SSO.
you can achieve what you are trying with OIDC, and you should try and stick with using one federation protocol - because logging into a service with SAML with not automatically log you in to a service that depends on OIDC.
Google apps use the OIDC protocol- but it's not clear if your identity provider is ADFS or Google.