Hello Gary,
Actually there is one more variant based on SAML technology and this variant doesn't require an AS Java server.
You can achieve SAML SSO with MS AD User&Password using our SAP Cloud Identity service. The user will authenticate against SAP Cloud Identity and the User&Password will be checked at the MS AD and if they are correct the SAP Cloud Identity IdP will issue a SAML assertion that could be used for authentication with SAP Fiori.
SAP Cloud Identity is a service running in the cloud. See more details about the SAP Cloud Identity integration with the on premise user store here in this blog:
How to Connect Your Cloud Applications with Your Corporate User Store
Regards,
Donka Dimitrova