We are looking to expose a SharePoint Portal over internet using Web Application Proxy secured with ADFS pre-authentication. The permissions to the Portal are provided through Claims based on certain AD attributes. In addition, the Portal also surfaces several SSRS reports which retrieves data from a SSAS cube. The cube contains data level permissions for the AD groups and hence the user credential must be delegated to the cube as well.

It was proposed to secure the SharePoint Portal using Kerberos and publish it through WAP, so that WAP will do a pre-authentication via ADFS 3 and subsequently convert the SAML token to a Kerberos ticket when accessing portal. Appreciate if you can provide answers to below questions:

1. Can WAP actually convert the SAML token to a Kerberos ticket, so that the Portal sees the user as a Kerberos user?

2. The Portal heavily relies on Claims issued via ADFS Claim Rules. Since ADFS is not directly connected to SharePoint Portal, Can we still use ADFS Claim Rules to issue Claims to the SharePoint site?

Any other alternative approaches to accomplish above scenario?