If the app is claim aware, configure it to use your ADFS as an Identity Provider.
ADFS should be installed on a member server of the domain where the users are (if the domain have a bi-directional AD trust, then it could be a member of any of the domains).
Then create a relying party trust for your app in ADFS.
Install a WAP server.
Until here, pretty straight forward (but please do tell us if you are stuck on one of these steps, we can help you out).
Then it is the tricky part, the DNS resolution.
Clients connected internally are using an internal DNS. Make sure the FQDN of your ADFS farm (let say adfs.company.com - note that it has to be on a public namespace) resolves to the internal IP address of your ADFS server.
Clients connected externally are using public DNS servers. Make sure the FQDN of your ADFS farm (the same name as internally - hence the requirement to belong to a public namespace) resolves to the public IP address of your WAP server.
This is what we refer in our docs as a split-brain DNS (or split-horizon). It is explained here: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/overview/ad-fs-requirements#BKMK_7
The same DNS trick has to apply for your applications. Depending on the clients location, the DNS resolution will be different.
Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.
