Sorry for the late reply again.
I think we are instead going to opt for a different path with our agents.Our approach will be to install the full Identity Agent, and perform the following:
1. Known shared computers will only be auto logged in to a shared account, no other accounts will be allowed to log in to those computer. They are meant for checking webmail, health & safety, internal websites, and other needs for the workers, that do not require individual user logins
2. Individual computers will be reviewed, and we may possibly remove fast user switching across the domain, as there isn't too big of a need for it, just QoL for some cases.
I like your SSO captive portal idea, I'll see if i'm able to demo it out on a test group, although I tend to be met with resistance when I bring up captive portals.