The way that I've always treated this discussion with my clients is that IWA (Windows) or PKI/LDAP (Linux) is an authentication step before you get to the Enterprise Portal, i.e. the Web Adaptor determines if you can pass through to the Portal Component.
Simply, if you're registered not in the AD/LDAP, you're not getting to the Enterprise Portal.
This means this approach excludes the use of Portal Tokens and SAML2. For those options to work, you have to be able to pass through the Web Adaptor anonymously.
Therefore, I do not believe you can do both authentication options from the same portal.
On the OGC/Security front, if you have a non-federated ArcGIS Server, then you can get creative with the authentication in front of it. IP to IP restrictions, HTTP Basic etc - however, this is going to be global security to the server, and is not web-service specific. That can be limiting. The wider issue that I've observed is that there is no true security/authentication standard for OGC clients, and with so many options out there, I'd argue that some of those developers need to incorporate esri tokens security as an option/addin/extension to their products.
It's an interesting/grey area that has tripped several of my clients up.
Scott Tansley
https://www.linkedin.com/in/scotttansley/
