I have two NAM infrastructures, one just for inside and one just for outside.
Only the outside is visible from the internet.

I've got the outside NAM IDP federated to an external SP (and application) which seem to work.
I've just got outside and inside NAMs connected with the inside as IDP and outside as SP.

However, I'm trying to get it so that if a user is authenticated to the inside NAM they don't get prompted to login to the external application.
My head is going round in circles trying to figure this out!
Here is a bulletted version
1- when an internet user logs into external app and SP, they should get a login from the outside IDP. This is currently working
2- when an inside user (who is already logged into inside NAM) logs into the external app and SP, they should get through without another login
3- when an inside user (who is not logged into inside NAM) logs into the external app and SP, they should get prompted to login to inside NAM

Can someone help me make sense of this?