asp.net mvc - How to detect if a request by a user is coming from a federated partner who is already authenticated with our ADFS or a external user to enable SSO -

i have both -

external users authenticate in via asp.net identity , internal/extranet users authenticate via azuread backed adfs deployment on-premises.

when user clicks link or navigates directly page in web application detect if user has authenticated our adfs either through 1 of our sharepoint sites, internally or similar. if true should directed azure ad correct domain_hint enable seamless single sign-on, otherwise should directed login screen within application.

currently when application receives unauthorized request user directed login screen select authentication workflow regardless of whether have authenticated trusted federated azure ad tenant either through sharepoint, internally or similar.

public class detritusauthorise : authorizeattribute {     protected override void handleunauthorizedrequest(system.web.mvc.authorizationcontext filtercontext)     {         filtercontext.result = new redirecttorouteresult(new routevaluedictionary         {             {"action", nameof(controllers.accountcontroller.login)},{"controller", "account"}         });     } } 

example scenario

a user logged share point site clicks link web application.

i using owin openidconnect , cookieauthentication. can see there adfs.ourcompany.com, sharepoint.ourcompany.com etc cookies in browser cannot access/detect them in request processed authorizeattribute.

how can detect if request coming user authenticated our adfs?