Hello Gary,
Yes, the AS JAVA server is necessary for the two scenarios, descibed by me, because both components the Secure Login Server (X.509) and the SAML IdP are running on AS Java server. It is not necessary to install a dedicated AS Java for this purpose. These components could be installed on an existing for the company AS Java server.
In general for Fiori SSO scenario it is possibe to use the SSO technologies supported by AS ABAP for Web UI and this includes X.509 client certificates (as I alraedy mentioned).
SNC is configured when you use SAP GUI for Windows. When you implement SAP GUI for HTML, you configure SSL.
Regards,
Donka