Explicit froward proxy with APM authentication before get internet access

HI I have setup explicit forward proxy for POC. The case is, the client wants the following: 1. before the user can access internet, It will Authenticate first via AD, then allow internet if Authenticated. 2. f5 will send traffic to Palo Alto as firewall and SWG.

 

My configuration: Create VS via iapps base from other comments here in dev central. Test HTTP and HTTPS traffic, It works. Apply Access policy, test HTTP, it works, Test HTTPS doesn't work Other concern is everytime you visit website, it always require logon which is not suppose to happen.

 

Below figure is my policy:

 

Two things are my pending: 1. HTTPS not work IF I attached access policy. 2. How can I remove the user logon everytime it visit website but authenticated by AD.

 

Any one can help me. Your help is highly appreciated.