Well, I am looking for some help with doing / understanding all the “magic”…
I found this post on the web of someone also looking to understand the “magic”: https://social.technet.microsoft.com/Forums/windowsserver/en-US/92a34798-65ee-4e5e-a185-036c6da9da3b/allowing-iis-web-application-in-dmz-to-authenticate-ad-users?forum=winserverDS
A user at the bottom responded:
The app needs to be configured for SAML not the IIS itself. Check this: Building a test claims-aware ASP.NET application and integrating it with ADFS 2.0 Security Token Service (STS) | Microsoft Learn
ADFS can be configured in a way that if the users are accessing the app from the inside they would have sso expirience and wouldn’t be asked for creds twice. Check this: https://blogs.technet.microsoft.com/askpfeplat/2014/11/02/adfs-deep-dive-comparing-ws-fed-saml-and-oauth/