I'll divide the answer in to 3:
- Enabling SAML authentication for an app
- AD Federation
- Bi-directional sync
- SAML authentication using an identity in Azure Active Directory -
When using SAML, you delegate the authentication and authorization to your app to an external identity which you trust, in this case Azure AD.
Since your users are synced to Azure using ADConnect, you can use your AD identity to authenticate.
Note: * this will not require any additional licensing and is available in the free Azure AD subscription *
To authenticate an app, you need to create an application in you AD, enable SAML authentication and configure your app. It's actually pretty straight forward (unless you require special configuration) and here is a great explanation on how to set it up.
- Active Directory federation is an extension to your local environment, to enable federation for internet facing application. This document explains it better than I could. If you sent up ADFS, you will be able to federate you applications authentication (and authorization) to your local AD, but this will require you to set up ADFS and expose it to the internet.
- From how I read your question, bi-directional sync can mean either of two things :
a. Password hash sync
b. Seamless Single Sign-On
Bottom line (if understood your question correctly) you can set up SAML authentication for your app in your current configuration.