We are creating an application that will (hopefully) allow users to authenticate by multiple means. Either cloud-based services (google,facebook, etc.) or--hopefully--by their own company's Active Directory.
Is their a reasonably simple way to do this, without over-reaching what a client is going to be willing to do to make this possible?
At a high level you might want to invest some time in thinking how to architect the identity layer on your application. How to abstract all the different authentication providers. One way of doing it is by leveraging a claims based identity approach. Instead of embedding all the authentication/authorization logic on the application, you have this layer in which you convert user attributes coming from the authentication provider to a common representation across them. This is called "claims-based identity"
You can download a free book that talks about this approach from Microsoft A Guide to Claims-Based Identity and Access Control (2nd Edition).
On a more concrete level, implementation will vary depend on what platform/language you are using and the libraries available. If you want to integrate with social identity providers, typically the protocol used is OAuth2 (Google, Facebook, LiveID) or OAuth1.0a (Twitter). In NET you have libraries like DotNetOpenAuth that will implement those protocols. If you want to integrate with something like ADFS (Active Directory Federation Service), the protocol used is WS-Federation with SAML Tokens or SAML 2.0 protocol. In NET the library of chose is Windows Identity Foundation (WIF). Mixing both in the same application, is not easy. That's what I meant by investing in a common abstraction layer.
Finally, there are cloud services that might help. These are brokers between your app and the identity providers. From the app point of view, you implement one library:
Windows Azure Access Control Service (ACS): As a reference, here is a tutorial to integrate ASP.NET with ACS http://www.windowsazure.com/en-us/develop/net/how-to-guides/access-control
Auth0: As a reference, here is a tutorial to integrate ASP.NET with Auth0 https://docs.auth0.com/aspnet-tutorial (DISCLAIMER: I work at Auth0)
We have a couple of third-party cloud based systems that require access to our Active Directory in order to provide single sign on.
For both we just set up a firewall publishing rule locked down by IP address so that only specific servers can connect over the internet to our Domain Controller. It is also only enabled for encrypted traffic.
Depending on your what firewall you have the config will be different so if you update your question with the details you may get more specific answers
Microsoft handles this using their "DirSync" tool which is based on Forefront Identity Manager and ADFS for single-sign-on between their local directories and cloud directories. It's how they get SSO for the Office 365, Intune, and Lync Online stuff.
You'll need to implement something similar, most likely, or convince the customer to open their firewall to your specific services and do LDAPS or something directly against their AD.
