Solutions for accessing webapp from inside and outside the corporate perimeter by same users?

I’m looking for solutions that could best address the following requirements.

• We plan to develop a webapp and deploy it in the cloud.
• Corporate users must be able to access the webapp from the enterprise network, where they’re already connected to a corporate Active Directory, with an SSO mechanism (e.g. SAML, OAuth/OpenID Connect, WS-Fed, etc.). This is the “easy” part, as ADFS provides solutions for this.
• Here is where it gets less obvious: The same users can be on the road, and still be able to connect to the same webapp.
• When they’re on the road, though, SSO is not mandatory: they could connect with other login credentials (e.g. via the webapp’s own userid/password management system, or through a third-party identity provider). If there are solutions where they still could use their AD credentials from the outside of the company, this should be of course considered.
• In any case, a user should get her/his same preferences, personal data, etc. in the webapp, independently of the way s/he logs in (i.e. from inside the company or when on the road)
• If a user is de-provisioned from the AD, s/he must not be able to connect using the webapp’s own login system or third-party identity provider. Same thing if her/his group memberships change: it must be taken into account in the webapp, whatever the login option used.

I understand there are many possible solutions (VPN connection, using Azure AD, etc.), but what would be the one(s) with the best combination of impacts on the present infrastructure, cost, user-friendliness, security, and availability?

Thanks!