The best approach, in my opinion, is to point the portal resource at an internal virtual server with a simple access policy (start-allow) and SSO profile, the last thing you tried. The trick is that you have to set the internal SSO profile's session variables in the external access policy. So for example, if you were doing a form-based SSO on one internal policy (which might session.logon.last.username and session.logon.last.domain session variables), and Kerberos SSO on another (which would require session.logon.last.username and session.logon.last.domain), then you would need to set all of those session variables in the external access policy.