We have an onsite website. We have a requirement to allow some external people access the site. I was thinking of using Azure Application Proxy, which we've used to great success with internal users.
However, while I think the website supports SAML, my understanding is that when the users log on, they will be required to enter a username and password on the website anyway, so no SSO.
I've been reading https://docs.microsoft.com/en-us/azure/active-directory/external-identities/hybrid-cloud-to-on-premi...
but I'm confused if we have to create a shadow account on our onsite AD if they won't be using SSO? I.e., will AAP authenticate their guest account to the point they can see the web page?