I hope you could support me with a deployment I am trying to achieve in these days, please.
Currently, my organisation has several applications that use SAML for SSO matters which is configured in the Azure AD. Thus, by using a browser, a user can enter to www.myapp1.com (across the Internet) with his organisation credentials, then the SAML SSO occurs in the Azure AD and finally the user can access the application. I need to deploy the APM Portal Access agent for all those apps in order to make the F5 be the Identity Provider (IdP) when the users enter the applications using the webtop portal. In other words, I need to publish the current apps in the webtop and use SAML towards the Azure AD to authenticate the users.
Here comes the tricky requirement of my boss. We need that the users who come from the Internet be forced to use the APM portal webtop to enter the apps (the F5 APM will be the SAML IdP), BUT the users that are located on-campus (in the internal network) do not need to use the APM to perform the SAML auth. In the latter situation, the users will reach directly the Azure AD to perform the SAML Auth and it could be said that the current deployment will be maintained for the users located on-campus. In the case whether this scenario might be possible, how could achieve this kind of "hybrid" deployment in which I will use the APM for the users accessing from the Internet while the users accessing from the campus will remain using the current SAML SSO deployment (in the Azure AD)? How could I tell the Office 365 Azure AD to become the SP considering a per-application basis without affecting the other apps that might not need to be published in the APM webtop?
I will really appreciate that you could give me some guidance or ideas to at least perform some testing before explaining the design to my boss.