Is your portal exposed to the outside, or just internal/VPN users? If just internal/VPN, I'd personally push out a GPO to add your portal to the list of trusted sites in IE. That way you should get a single signon experience and won't need to manually pass credentials at all, as long as you're logged into the domain.
It is open to the outside. I only want users who are on our domain to access Portal, but I want some of my applications and layers to be open to everyone (for say an Open Data Portal). I've been looking at the SAML single sign on option, but I thought I had read somewhere that I cannot use built-in logins as well as SAML. I have Field Workers who are not in Active Directory that use applications in the field, and I want them to be able to access as well. Not to mention we have public facing applications in the works as well. If I can do all that with SAML, then I'm in.
I'd strongly recommend SAML over IWA in a situation where you need to share some services to the public but keep others private. You can support both built in and domain users with SAML, but not with IWA.
SAML is by far your best option here. You can even support multi-factor auth with Portal if your SAML provider can support it.
Awesome! Apparently I've gotten some bad information in the past. Going to go forward with SAML.