So the SSO part isn’t as bad as it may first appear. If you use the API Key method then you’re restricted to using the legacy xml-rpc for Infusionsoft, but it does everything you’d need it to and that would be directly SSO. If you use the OAuth xml-rpc or REST then you can simulate the SSO by managing refreshing of your tokens on an auth server of your own and in that way the three legged process can be, in practical terms, a two legged authentication you can use.
Flow can be used to handle anything coming out of Office and therefor connect to IS with whatever version of the API you will use.
Infusionsoft does have webhooks as well but they are only available with REST and REST requires the use of OAuth. Otherwise, using the legacy api, you can use a polling service on a schedule (5 minute polls are common), to check for updates from IS.
Then, the only piece left is what to do with information from IS when you find updates. An Office connector must be setup to take advantage of the Office API but again, quite doable.
Encryption being a factor, I can tell you that the Infusionsoft API makes use of TLS 1.2 and using HTTPS/SSL covers most peoples concerns with security/encryption. However, if you still want a greater level of encryption, it’s always possible to do and I’ve even had clients that I’ve developed custom encryption for that would take a very long time (years) for the best systems in the world to brute force through.
In short, there are ways to handle everything you’ve presented as needs here