Thanks for the response. It was helpful. The link https://learn.microsoft.com/en-us/azure/active-directory/external-identities/hybrid-cloud-to-on-premises had a possible option - "Create B2B guest user objects through an Azure AD B2B script" that I tested out, but it didn't quite work.
The on-premise app that I am trying to publish is an RDWeb server. As I said, I've got SSO working for users that are in my on premise AD/Azure AD, but when I try and login with a guest Azure AD user the SSO fails. I've setup SSO for the RDWeb server using this technique https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/configure-password-single-sign-on-non-gallery-applications
I believe the reason the external SSO fails is because the external user has a Azure login ID of firstname.lastname@example.org. This translates to the following ID in our Azure AD of UserOne_extcloud.onmicrosoft.com#EXTemail@example.com. Based on the powershell script in the above link, I tried creating an on premise AD user with the account ID of UserOne_extcloud.onmicrosoft.com#EXTfirstname.lastname@example.org. I'm able to create the account, but when I try and access the MyApps site with the external user account, the SSO process still fails.
The problem is that when I go to access the RDWeb server published thru MyApps and connect with the email@example.com account that is ok. Then when I launch the app for the RDWeb server I'm taken to the RDWeb login page and instead of trying to login with the UserOne_extcloud.onmicrosoft.com#EXTfirstname.lastname@example.org account, the login account is using the email@example.com account and so the SSO process fails.
One way that I can think to make this work is to create the firstname.lastname@example.org user in my on-premise AD. But I'm not sure I can create an on-premise user account with the @extcloud.onmicrosoft.com UPN. Do you know if this is possible?