I'm not sure if I can get company security-approval of this web auth portal being placed in our internal network. I believe this design would only get approved by placing the web-portal on a DMZ network.
It all comes down to your views on risk vs cost. Personally I've been putting a PSN out in the DMZ for this sort of thing as it feels the safest approach.
That said, there's nothing stopping you from putting the PSN on the inside of your network and leaking access to it, or you could even use multiple NICs on the PSN and span the DMZ FW so it has a NIC in both networks at the same time. However, in my humble opinion, 'here be dragons' - only do these if you are well aware of the risks.