Hi @KP
Thanks for reaching out to Microsoft Q&A.
If you also need MFA other than SSO, Entra Application Proxy is the best solution for you if your application works with Kerberos protocol:
https://learn.microsoft.com/en-us/entra/identity/app-proxy/overview-what-is-app-proxy
The document below has the step by step to configure an onprem application with App Proxy:
Hope it helps.
Thanks,
Fabio