I have helped many companies with kiosk workstation user logon when using Active Directory credentials. However, the requirements are not same as yours. Most companies in my experience want the ECC logon to prompt for Active Directory credentials, and for browser based logon to also prompt for Active Directory credentials. Then, the user only has to remember their domain credentials and doesn't need any SAP password to remember.
However, in your description of customer requirements, you are expecting the ECC logon to allow the user to logon using a web browser without being prompted again, and also allowing browser logon to allow ECC logon without prompting again. This makes your requirements different and more challenging to achieve.