Hello Gary,
Using SAP Single Sign-On product (license required) it is very easy to implement SSO for SAP Fiori (for PC or for mobile access). For example you can choose to use the SAML scenario. It is possible to configure the MS AD as user store for the SAML IdP and then users who try to authenticate from outside corporate network will have to use their MS AD User&Password for authentication. Using this scenario it will be possible also to implement Mobile SSO for SAP Fiori Client (supported out of the box with the mobile application SAP Authenticator).
You can also improve the security for the external access by implementing risk-based authentication and configuring the system to prompt users for two-factor authentication (OTP) in addition to their MS AD User&Password only when they try to authenticate to SAP Fiori from outside corporate network.
You can also chose the X.509 client certificate scenario and for this scenario it will be also possible to configure the MS AD as user store and users will be prompted again for their MS AD User&Password.
Q1/A1: For both scenarios the AS JAVA is necessary and you will not be able to "get rid of AS JAVA".
Q2/A2: If you are using the SAP IDM product it is possible to provision the users and their roles automatically to the AS ABAP server.
Q3/A3: Yes, the user needs to be available in the back end AS ABAP system and also in the SAP NW Gateway system.
Q4/A4: As I already mentioned both scenarios SAML and X.509 allow integration with AS AD and for both the user credentials will be checked against the MS AD.
See some details about SSO for Fiori and risk-based authentication:
Mobile Single Sign-On for SAP Fiori with SAP Authenticator
Risk-Based Authentication for Your Critical Business Processes
We also offer an implementation guide for Mobile SSO for Fiori, that you can use also to implement SSO for Fiori via the Browser for PC. Just skip the mobile device part and configure basic authentication instead of OTP authentication if you want to enable users to authenticate with their MS AD User& Password. For the last one you have to make sure that MS AD is configured as User store for AS JAVA. See the guide here: Mobile SSO for SAP Fiori - Step-by-Step Guide
If you want more details how the solution is working using SAP Single Sign-On product, we can organize a conference call and I can also demonstrate the solution to you and your team. If you find necessary just send me a message on <donka.dimitrova at sap.com>.
Regards,
Donka Dimitrova