I have an on premise sso enabled application that is not available in the azure ad gallery.
I want hundreds of customers to be able to access it, and I understand I can only configure this app with azure ad premium.
Is this a supported scenario: apply premium license to admins to configure the custom app, apply basic license to customers (using b2b guest accounts and for dynamic group access rules) and make the app available to these customers group? Essentially mixing premium and basic licensing.
I found understanding the licencing a bit complicated but here goes. So you are talking about Azure AD B2B collaboration, right? This is the way it works is
"Azure AD allows for B2B collaboration by enabling the use of a select set of Azure AD features to guest users who are invited into the Azure AD tenant. While some features are free, for any paid Azure AD features, guest users must be licensed as follows: with each Azure AD paid edition license that you own for an employee or a non-guest user in your tenant, you will also be able to invite up to 5 guest users to the tenant. The features you can extend to these guest users will depend on the type of Azure AD edition you purchase. There is no charge for inviting a guest user and assigning him/her to an application in Azure AD, for up to 10 apps per guest user. For paid Azure AD features that are extended to guest users, the inviting tenant will need the appropriate number of Basic or Premium P1 or Premium P2 licenses to cover guest users, in the 1 license: 5 users ratio as described above."
Simple, yeh? So you want to invite 200 collaboration users to the Azure AD tenant? You can do that for free as long as you don't need to use any paid Azure AD features. That's probably quite limiting if want to use Group-based access management /provisioning or the Azure AD Application Proxy, for example with these users. Then you'd need to purchase 40 Azure AD Basic Licences, in this case. Say you need Dynamic Groups or conditional access, for some of the users, say half, you'd buy 20 Basic Licences and 20 Azure AD P1 licences.
Having reread it now makes sense, and in fact if we license our guest users with basic, (to be able to manage in groups) we'd be covered.
What I can't understand yet is the SSO bit. Say we license admins with P1, can they configure a custom app to use SSO and make it available to these basic users, it's not an app in the gallery so needs configuring.
I am not totally sure about this. You have the on-prem web app, which I would have thought meant using the Application Proxy, which I linked to previously. Then publish the app into Azure portal and you could assign the guest users to the app accordingly and provide B2B access in principle.
There could be a lot more to it than that, for example, you mention SSO but I am not sure how that works in this case. Personally, I'd test this with a Proof of Concept or ask Microsoft this question directly, if you have means, via Azure support etc. Also, by the way, there is a dedicated space for Azure AD B2B Collaboration, that's worth checking out. Good luck.