Thank You Hubert,
If we use the cert + form, would SSO be able to take a generic attribute from the cert that simply identifies the device as 'company owned' independent of the user logging in...?
For example, a check is done on the cert first to identify it as a corporate device, not tied to a user (=allow), then present a form that would prompt for valid user + password (a shared device)
The objective is to expose the portal (Identity Portal, SSO protected) from anywhere, but only for corporate devices and from valid identities (although the cert will be a device cert, not a user cert)
Thanks