Hi,
I think your best option is to use APM as an authentication portal and show the app links in there. This is called IDP Portal: https://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-authentication-single-sign-on-11-6-0/28.html?sr=52932618
You can use as AAA server your website but the APM needs to know how to assign resources to the users ( for example an HTTP header with the resources for the user in the response from the website, then you can an irule to capture this).
Your point 1, if you present the IDP to the user, or your website performs SSO or the user will need to authenticate again otherwise there's no way to know which user is accessing the service.
Hope this helps
Nimbostratus
